uRPF在思科和H3C上现实的差别
以下文字来自H3C官方网站:http://www.h3c.com.cn/download.do?id=620562
URPF 处理流程
URPF 检查有严格(strict)型和松散(loose)型两种。此外,还可以支持ACL 与缺省路由的检查。
URPF 的处理流程如下:
(1) 如果报文的源地址在路由器的FIB 表中存在对于strict 型检查,反向查找报文出接口,若其中至少有一个出接口和报文的入接口相匹配,则报文通过检查;否则报文将被拒绝。(反向查找是指查找以该报文源IP 地址为目的IP 地址的报文的出接口)对于loose 型检查,报文进行正常的转发。
(2) 如果报文的源地址在路由器的FIB 表中不存在,则检查缺省路由及URPF 的allow-default-route 参数。
对于配置了缺省路由,但没有配置参数allow-default-route 的情况,不管是strict型检查还是loose 型检查,只要报文的源地址在路由器的FIB 表中不存在,该
报文都将被拒绝;
对于配置了缺省路由,同时又配置了参数allow-default-route 的情况下,如果是strict 型检查,只要缺省路由的出接口与报文的入接口一致,则报文将通过
URPF 的检查,进行正常的转发;如果缺省路由的出接口和报文的入接口不一致,则报文将拒绝。如果是loose 型检查,报文都将通过URPF 的检查,进行
正常的转发。
(3) 当且仅当报文被拒绝后,才去匹配ACL。如果被ACL 允许通过,则报文继续进行正常的转发;如果被ACL 拒绝,则报文被丢弃。
以下文字来自CISCO官方网站:http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Introduction
Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation. Unicast RPF in VRF mode will not be covered in this document.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network.
When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode.
Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that contain asymmetric routing paths.
Unicast RPF in an Enterprise Network
In many enterprise environments, it is necessary to use a combination of strict mode and loose mode Unicast RPF. The choice of the Unicast RPF mode that will be used will depend on the design of the network segment connected to the interface on which Unicast RPF is deployed.
Administrators should use Unicast RPF in strict mode on network interfaces for which all packets received on an interface are guaranteed to originate from the subnet assigned to the interface. A subnet composed of end stations or network resources fulfills this requirement. Such a design would be in place for an access layer network or a branch office where there is only one path into and out of the branch network. No other traffic originating from the subnet is allowed and no other routes are available past the subnet.
Unicast RPF loose mode can be used on an uplink network interface that has a default route associated with it.
Unicast RPF Examples
Cisco IOS Devices
An important consideration for deployment is that Cisco Express Forwarding switching must be enabled for Unicast RPF to function. This command has been enabled by default as of IOS version 12.2. If it is not enabled, administrators can enable it with the following global configuration command: ip cef
Unicast RPF is enabled on a per-interface basis. The ip verify unicast source reachable-via rx command enables Unicast RPF in strict mode. To enable loose mode, administrators can use the any option to enforce the requirement that the source IP address for a packet must appear in the routing table. The allow-default option may be used with either the rx or any option to include IP addresses not specifically contained in the routing table. The allow-self-ping option should not be used because it could create a denial of service condition. An access list such as the one that follows may also be configured to specifically permit or deny a list of addresses through Unicast RPF:
interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]
Addresses that should never appear on a network can be dropped by entering a route to a null interface. The following command will cause all traffic received from the 10.0.0.0/8 network to be dropped even if Unicast RPF is enabled in loose mode with the allow-default option: ip route 10.0.0.0 255.0.0.0 Null0
从以上文字可以看出,CISCO在实现uRPF的时候考虑得比H3C稍微多了一点点,起码思科考虑到了路由表中下一跳地址为Null0接口的处理。