No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application Scenarios for URPF

Application Scenarios for URPF

Application of Strict URPF on an ISP Network

In Figure 7-3, CE-1 on network A and CE-2 on network B are connected to PE-1 on the ISP network. URPF is enabled on Port1 and Port2 of PE-1 to protect the ISP network against source address spoofing attacks from Network A and Network B.

Figure 7-3 Schematic diagram of application of strict URPF on an ISP Network

In this example, a PC in Network A sends a request packet with the forged source address 2.2.2.2 to Network C. After receiving the request packet, PE-1 performs the URPF check based on the inbound interface and source address of the packet. PE-1 finds that the request packet should enter through Port2, but it entered through Port1. PE-1 considers the source address of the packet to be a bogus source address and discards the packet. In this manner, PE-1 is protected against the source address spoofing attack.

Application of Strict URPF Across ASs

In Figure 7-4, there is one path between AS1 and AS3 and another path between AS2 and AS3. URPF is enabled on Port1 and Port2 of Device C to protect AS3 against source address spoofing attacks launched by AS1 and AS2.

Figure 7-4 Schematic diagram of application of strict URPF across ASs

In this example, a PC in a network sends a request packet with the forged source address 2.2.2.2 to the server on the ISP. After receiving the request packet, Device C performs the URPF check on the packet based the source address and inbound interface of the packet. Device C finds that the request packet should enter through Port2, but it entered through Port1. Therefore, Device C considers the source address of the packet to be a bogus source address and discards the packet.

After normal packets sent to the server by a user in AS2 pass the URPF check, the packets are forwarded normally.

Application of Loose URPF on ISP Networks

Loose URPF is applicable to the scenario where a client is dual-homed to devices on an ISP network as well as the scenario where a client is dual-homed to devices on different ISP networks.

In the example shown in Figure 7-5, multiple connections are set up between an enterprise network and an ISP to ensure reliability. In this case, symmetrical routes between the enterprise network and the ISP network cannot be ensured, and loose URPF must be used.

Figure 7-5 URPF application environment where a client is dual-homed to devices on an ISP network

Scenario Where a Client Is Dual-Homed to Devices on Different ISP Networks

In the example shown in Figure 7-6, the enterprise network is connected to multiple ISP networks. It is difficult to ensure symmetrical routes between the enterprise network and two ISP networks. Therefore, loose URPF must be used.

Figure 7-6 URPF application environment where a client is dual-homed to devices on different ISP networks

URPF applied in the scenario where an enterprise network is connected to multiple ISP networks has the following characteristics:

  • If any special packet is required to pass the URPF check under all conditions, you can specify the source address in an ACL.

  • Many users' routers may have only one default route leading to an ISP network. Therefore, default routing entries should be configured.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12505

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next