No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Overview

URPF Overview

URPF prevents network attacks based on source address spoofing and can be performed in strict or loose mode.

Unicast Reverse Path Forwarding (URPF) is a technology used to defend against network attacks based on source address spoofing.

Generally, upon receiving a packet, a router first obtains the destination IP address of the packet and then searches the forwarding table for a route to the destination address. If the router finds such a route, it forwards the packet; otherwise, it discards the packet. A URPF-enabled router, however, obtains the source IP address of a received packet and searches for a route to the source address. If the router fails to find the route, it considers that the source address is a forged one and discards the packet. In this manner, URPF can effectively protect against malicious attacks that are launched by changing the source addresses of packets.

Figure 7-1 Source address spoofing attacks

Device A generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Device B. Device B sends a response packet to Device C whose IP address actually is 2.1.1.1. In this manner, Device A attacks both Device B and Device C by sending illegal packets.

URPF can be applied on the upstream inbound interfaces of the router, including two application environments: single-homed client and multi-homed client.

  • Single-homed client

  • Figure 7-2 shows the connection between the client and the aggregation router of the ISP. Enable URPF on interface1 of the ISP router to protect the router and Internet from source address spoofing attacks from the client network.

Figure 7-2 Application of a URPF single-homed client

  • Multi-homed client

  • URPF can be applied in the case that multiple connections are set up between the client and the ISP, as shown in Figure 7-3. For URPF, ensure that the links between the client router and the ISP router that the packets from the client to a host on the Internet and the packets from the host to the client traverse are identical. That is, you need to ensure the route symmetry. Otherwise, URPF discards certain normal packets because of interface unmatching.

Figure 7-3 Application of the URPF multi-homed client

  • Multi-homed client and multi-ISP

URPF can be applied in the case that a client is connected to multiple ISPs, as shown in Figure 7-4. In this case, route symmetry has to be ensured.

URPF applied in the scenario where a client is connected to multiple ISPs has the following features:

  • If route symmetry cannot be ensured, you can use the loose check. That is, URPF does not check the consistency of the interfaces and as along as a route contains the source address of the packet, the packet can pass.

  • The routers of multiple users may have only one default route to the router of the ISP. Therefore, matching the default route entry needs to be supported.

  • As the security system on the ingress, URPF is better than the conventional firewall in performance.

Figure 7-4 Application of multi-homed ISPs of URPF

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19591

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next