No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF on an Interface

URPF on an Interface

Unicast Reverse Path Forwarding (URPF) can be classified into strict URPF and loose URPF. Its principle is to query the FIB of the routing table for the Layer 3 IP packets when the packets are sent to the NP. If the route is a local route, the packets must pass URPF check before being sent to the CPU. The URPF check aims to check based on the routing table whether the source IP address of packets is valid.

URPF check can be performed in strict or loose mode or can be performed to match default routes.

  • In strict URPF mode, if packets match detailed routes and the ingress is the egress of matched routes, packets are allowed to be sent; otherwise, packets are discarded.

  • In loose URPF mode, if packets match detailed routes, packets are allowed to be sent; otherwise, packets are discarded. By default, the default route is considered inexistent. Packets do not take the initiative to match the default route until the default route is configured.

The mode of allowing packets to match the default route must be configured in conjunction with the strict URPF mode. When packets match detailed routes or the default route and the inbound interface of packets match the outbound interface of matched routes, packets are allowed to be sent; otherwise, packets are discarded. The default route and the loose URPF mode cannot be configured at the same time; otherwise, attack defense does not work. The loose URPF mode and strict URPF mode are mutually exclusive and thus only one of them can be configured at a time.

URPF on an interface protects a device against attacks from variable source IP addresses. Attackers always send a huge number of attack packets using variable IP addresses. Therefore, performing URPF on an interface before sending IP packets to the CPU is recommended. In this manner, the probability of being attacked by packets from variable IP addresses is reduced.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12800

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next