No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Fundamentals

URPF Fundamentals

URPF works by enabling a device to verify the reachability of the source address in a received packet. If the source IP address is unreachable, the packet is discarded.

In a complex network environment, URPF cannot work normally in the case of asymmetrical routes.

To counteract the problem, the NE40E supports two URPF modes:

  • Strict mode

  • Loose mode

Strict Mode

In strict URPF mode, a data packet can pass the URPF check only when the forwarding table contains a matching entry and the outbound interface of the entry matches the inbound interface of the packet.

After interface-based strict URPF is enabled on a router, the router searches the routing table for a matching entry based on the source IP (IPv6) address of a received data packet. If the router finds such an entry, the router compares the outbound interface of the entry with the inbound interface of the packet. If the two interfaces match, the router considers the packet to have passed the URPF check and forwards it normally. If no such entry is found in the routing table, or the outbound interface of the entry and the inbound interface of the packet do not match, the router considers the source address of the data packet to be a bogus source address and discards the data packet.

If there is only one path between two network edge routers, symmetrical routes can be assured. In this case, using strict URPF can ensure network security to the maximum extent.

In strict URPF mode, URPF check can be performed to match default routes, when there are no detailed routes but there are default routes. URPF is performed to check source address spoofing together with interface consistency.

Loose Mode

In loose URPF mode, a packet can pass the URPF check as long as there is a route with the destination address that is the source address of the packet, regardless of whether the outbound interface of the route and the inbound interface of the packet match.

After interface-based loose URPF is enabled on a router, the router searches the routing table for an entry based on the source IP (IPv6) address of a received data packet. If a matching entry is found, the data packet passes the URPF check and is forwarded normally. If no matching entry is found, the source address of the packet is considered to be a bogus source address, and the packet is discarded.

If there are multiple connections between two network edge devices, symmetrical routes cannot be assured. In this case, loose URPF can ensure network security to a certain extent.

In loose URPF mode, URPF check can also be performed to match default routes, when there are no detailed routes but there are default routes. However, the configuration has no actual significance, because loose URPF mode does not check interface consistency.

NOTE:
In a VPN, the NE40E searches the routing table for an entry based on the source IP (IPv6) address and the VRF (VPN index) of a received data packet.
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12721

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next