Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) is a security feature on Cisco ISR routers and ASA or Secure Firewall Threat Defence (FTD) firewalls, that enables the device to verify the reachability of the source address of packets, which helps limit malicious traffic flows and spoofed addresses on the network.

Normally a router and firewall determine if only the destination address is in the routing table. With uRPF enabled, this guards against IP address spoofing by ensuring that all packets have a source IP address that matches the correct source interface.

Key points:

  • uRPF instructs the router/firewall to look at the source IP address
  • With uRPF enabled, the router/firewall must have a route back to the source address

uRPF works in two different modes, strict and loose mode.

Strict mode

  • The packet is accepted if the source IP address is in the routing table AND the source IP address is reachable on the same interface the packet was received.
  • Used in symmetrically routing environments
  • Legitimate traffic could be dropped if asymmetric routes exist.

Loose Mode

  • The packet is accepted if the source IP address is in the routing table
  • Used in asymmetric environments, where traffic may be routed via one interface and return via another.
  • A packet that contains a source IP address with a route via the null0 interface, is dropped.

For traffic routed via the default route (without an explicit route in the routing table) the keyword allow-default must be configured, which allows the default route in the source IP address verification.

IOS-XE Configuration

The following configuration is for Cisco IOS-XE routers.

Loose Mode

Loose mode is configured under the interface, using the keyword any.

interface GigabitEthernet0/0
 ip verify unicast source reachable-via any

Strict Mode

Loose mode is configured under the interface, using the keyword rx.

interface GigabitEthernet0/1 
 ip verify unicast source reachable-via rx

Allow default route

When either uRPF loose or strict mode is enabled as above, with the router configured with explicit static routes to 1.1.1.0/24 and 2.2.2.0/24 in the routing table and a default route, only the traffic sourced from 1.1.1.0/24 and 2.2.2.0/24 will be allowed, even though a default route exists.

SWI1# show ip route static | begin Gateway
Gateway of last resort is 192.168.249.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.249.2
      1.0.0.0/24 is subnetted, 1 subnets
S        1.1.1.0 [1/0] via 192.168.249.2
      2.0.0.0/24 is subnetted, 1 subnets
S        2.2.2.0 [1/0] via 192.168.249.2

To allow return traffic back via the default route from any IP address, this can be allowed using the allow-default keyword.

interface GigabitEthernet0/0
 ip verify unicast source reachable-via any|rx allow-default

Access Control Lists

When a packet fails uRPF check, the device drops the packet, and no logging occurs. An Access Control List (ACL) can be used for exceptions and logging, this is optional.

  • Utilising an ACL and appending the keyword log will log hits on the ACE, useful for troubleshooting.
  • uRPF can use an ACL for exceptions, to forwarded (permit) a packet where normally it would be dropped.

The following configuration is applied, only routes in the routing table (except the default route) will be allowed, in addition the network 3.3.3.0/24 will be defined as an exception in the ACL.

access-list 101 remark ** Anti-Spoof **
access-list 101 permit ip 3.3.3.0 0.0.0.255 any log EXCEPTION
access-list 101 deny ip any any log ANTI-SPOOF
!
interface GigabitEthernet0/0
 ip verify unicast source reachable-via any 101

The output below is the logging information for the uRPF ACL, note traffic from 8.8.8.8 is denied but traffic from 3.3.3.1 is allowed, this is because 3.3.3.1 is explicitly permitted in the ACL.

*Aug 16 10:07:45.554: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 8.8.8.8 -> 192.168.250.1 (0/0), 5 packets [ANTI-SPOOF]
*Aug 16 10:10:45.545: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 3.3.3.1 -> 192.168.250.1 (0/0), 35 packets [EXCEPTION]

Verification

Run the command show ip traffic, from the output below we can determine 61 packets were dropped because of uRPF.

SWI1#show ip traffic

IP statistics:
  Rcvd:  1429 total, 1429 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 couldn't fragment
         0 invalid hole
  Bcast: 98 received, 0 sent
  Mcast: 679 received, 675 sent
  Sent:  1323 generated, 655 forwarded
  Drop:  7 encapsulation failed, 0 unresolved, 0 no adjacency
         0 no route, 61 unicast RPF, 0 forced drop
         0 options denied, 0 source IP address zero

Run the command show ip interface. From the output below, we can confirm that uRPF is configured in strict mode with the ACL 101 applied to the interface and 51 packets have been dropped.

SWI1#show ip int gi0/0 | begin verify
  IP verify source reachable-via RX, ACL 101
   51 verification drops
   5 suppressed verification drops
   0 verification drop-rate

ASA Configuration

The following is applicable to Cisco ASA firewalls.

uRPF is enabled on the Cisco ASA globally for each interface nameif (rather than under each interface like the IOS routers).

On the ASA the following applies:

  • ASA supports strict mode only
  • ICMP packets have no session, so each packet is checked
  • UDP and TCP protocols have sessions, the initial packet requires a reverse route lookup. Subsequent packets are checked using the existing session state.

To configure uRPF on the ASA, enter the command per interface:

ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE

Verification

With logging enabled on the ASA, the following syslog message should be generated.

%ASA-1-106021: Deny ICMP reverse path check from 192.168.249.2 to 192.168.252.2 on interface INSIDE

Run the command show asp drop frame rpf-violated to confirm the counter is increasing.

ASA(config)# show asp drop frame
  Reverse-path verify failed (rpf-violated)                                   10

Reference documentation

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/asr903/16-12-1/b-sec-data-urpf-xe-16-12-asr900/m_cfg-unicast-rpf.html#GUID-FFFAE947-8849-41E0-A926-A9C68AA9C16F
https://tools.cisco.com/security/center/resources/guide_ddos_defense.html

 

Tags: , ,