PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:urpf:urpf

Cisco: uRPF (Unicast Reverse Path Forwarding)

Tasks

  1. Without uRPF IP Spoofing w/ hping3
  2. uRPF Loose Mode
  3. Test uRPF Loose Mode unsuccessful pattern: source address is listed in routing table
  4. uRPF Strict Mode
  5. uRPF Loose Mode w/ default route
  6. uRPF Strict Mode w/ default route

uRPF topology 2e669ef3-4dbe-4c36-a28c-7e3ad0c6462c

network-security.urpf.3rt.0sw.4node.1ext-conn.static.2e669ef3
- Topology Description: uRPF (Unicast Reverse Path Forwarding)
- Topology ID: ''2e669ef3-4dbe-4c36-a28c-7e3ad0c6462c''
- Design and Technology:
  - uRPF (Unicast Reverse Path Forwarding)
  - Routing Protocol
    - static
  - 3 routers
  - 0 switches
  - 4 servers
- Remarks: N/A
- Lab Password: EgkhdSc5mwTu1cvrrk17zVC6NSKa7Y4AGSTDv2tHgfnwOVWvToCVDAHEKWKH1rl1

### Links

Cisco: uRPF (Unicast Reverse Path Forwarding) [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:urpf:urpf

Base Configuration

Common Configuration Snippet

ubuntu-0

server-1

server-2

server-3

R1

R2

R3

Tiny Core Linux

###### BOOT CONFIG START ######
route: SIOCADDRT: No such device
###### BOOT CONFIG DONE ######
sleep 10

… not works…

how is node remove????

not works for me.

Configure Server

sudo apt install hping3

Verify Basic Reachability f5f7e2b2-c611-4fd0-b33a-976749ad550b

  • ubuntu-0
ping -c2 10.3.3.201
ping -c2 172.16.1.202
ping -c2 172.16.3.203

R1 Console Log

R2#sh ip ro        
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
S        10.1.1.0/24 [1/0] via 10.1.2.1
C        10.1.2.0/24 is directly connected, GigabitEthernet0/1
L        10.1.2.2/32 is directly connected, GigabitEthernet0/1
C        10.2.3.0/24 is directly connected, GigabitEthernet0/0
L        10.2.3.2/32 is directly connected, GigabitEthernet0/0
S        10.3.3.0/24 [1/0] via 10.2.3.3
      172.16.0.0/24 is subnetted, 2 subnets
S        172.16.1.0 [1/0] via 10.1.2.1
S        172.16.3.0 [1/0] via 10.2.3.3

Without uRPF IP Spoofing w/ hping3 8e8794b3-d399-4805-b2fc-5401f14bfa32

  • ubuntu-0
ping -c2 10.3.3.201
# Testing Loose Mode
sudo hping3 --icmp --spoof 172.16.255.254 -c 2 10.3.3.201
# Testing Strict Mode
sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
sudo hping3 --icmp --spoof 172.16.1.202 -c 2 10.3.3.201
  • Wireshark Display Filter
icmp
  • ubuntu-0
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Spoofing transmission was succeeded.

Configuring uRPF overview

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ! uRPF Loose Mode
 ip verify unicast source reachable-via any
 ! uRPF Strict Mode
 ip verify unicast source reachable-via rx
 ! uRPF Loose Mode with default route permission
 ip verify unicast source reachable-via any allow-default
 ! uRPF Strict Mode with default route permission
 ip verify unicast source reachable-via rx allow-default
!
end

Verification commands overview

show running-config interface GigabitEthernet 0/1
show ip route
show ip interface GigabitEthernet 0/1
show ip traffic
show ip interface GigabitEthernet 0/1 | include verification drop|suppress
show ip traffic | include unicast RPF|forwarded
show ip interface GigabitEthernet 0/1 | section IP verify source
show ip traffic | section IP statistics

Configuring uRPF Loose Mode 36eb24a4-b7be-441f-9dc8-76d231756d39

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via any
!
end
R2#sh ip int gig0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 10.1.2.2/24
  Broadcast address is 255.255.255.255
  Address determined by configuration file
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: uRPF, MCI Check
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
  IP verify source reachable-via ANY
   0 verification drops
   0 suppressed verification drops
   0 verification drop-rate
R2#sh ip tra       
R2#sh ip traffic ?
  interface  show IP statistics per Interface
  |          Output modifiers
  <cr>

R2#sh ip traffic 
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 36 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 0 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path

ICMP statistics:
  Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable
        0 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
        0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other
        0 irdp solicitations, 0 irdp advertisements
        0 time exceeded, 0 info replies
  Sent: 0 redirects, 4 unreachable, 0 echo, 0 echo reply
        0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies
        0 info reply, 0 time exceeded, 0 parameter problem
        0 irdp solicitations, 0 irdp advertisements

UDP statistics:
  Rcvd: 0 total, 0 checksum errors, 0 no port 0 finput
  Sent: 0 total, 0 forwarded broadcasts

BGP statistics:
  Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh, 0 unrecognized
  Sent: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh

TCP statistics:
  Rcvd: 0 total, 0 checksum errors, 0 no port
  Sent: 0 total

EIGRP-IPv4 statistics:
  Rcvd: 0 total
  Sent: 0 total

PIMv2 statistics: Sent/Received
  Total: 0/0, 0 checksum errors, 0 format errors
  Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0,  Hellos: 0/0
  Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
  Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
  Queue drops: 0
  State-Refresh: 0/0

IGMP statistics: Sent/Received
  Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
  Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0 
  DVMRP: 0/0, PIM: 0/0
  Queue drops: 0

OSPF statistics:
  Last clearing of OSPF traffic counters never
  Rcvd: 0 total, 0 checksum errors
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks
  Sent: 0 total
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks

ARP statistics:
  Rcvd: 1 requests, 9 replies, 0 reverse, 0 other
  Sent: 1 requests, 9 replies (0 proxy), 0 reverse
  Drop due to input queue full: 0
R2#
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.255.254 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
R2#sh ip int gig0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 10.1.2.2/24
(snip)
  IP verify source reachable-via ANY
   2 verification drops
R2#sh ip traffic   
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
(snip)
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 2 unicast RPF, 0 forced drop
         0 options denied

Loose Mode checking successful.

Test uRPF Loose Mode unsuccessful pattern: source address is listed in routing table c41e5eff-68c4-4790-a81f-fe0795d19022

R2#sh ip ro 172.16.3.203
Routing entry for 172.16.3.0/24
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 10.2.3.3
      Route metric is 0, traffic share count is 1
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
R2#sh ip int gig0/1
GigabitEthernet0/1 is up, line protocol is up
(snip)
  IP verify source reachable-via ANY
   2 verification drops
   4 suppressed verification drops
   0 verification drop-rate
R2#sh ip traffic   
IP statistics:
(snip)
  Sent:  4 generated, 42 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 2 unicast RPF, 0 forced drop
         0 options denied
(snip)
R2#sh ip int gig0/1 | i verification drop|suppress
   2 verification drops
   8 suppressed verification drops
   0 verification drop-rate
R2#sh ip traffic | i unicast RPF|forwarded
  Sent:  4 generated, 44 forwarded
         4 no route, 2 unicast RPF, 0 forced drop
  Sent: 0 total, 0 forwarded broadcasts
R2#sh ip int gig0/1 | i verification drop|suppress
   2 verification drops
   8 suppressed verification drops
   0 verification drop-rate
R2#sh ip traffic | i unicast RPF|forwarded        
  Sent:  4 generated, 44 forwarded
         4 no route, 2 unicast RPF, 0 forced drop
  Sent: 0 total, 0 forwarded broadcasts
R2#sh ip int gig0/1 | i verification drop|suppress
   2 verification drops
   10 suppressed verification drops
   0 verification drop-rate
R2#sh ip traffic | i unicast RPF|forwarded        
  Sent:  4 generated, 46 forwarded
         4 no route, 2 unicast RPF, 0 forced drop
  Sent: 0 total, 0 forwarded broadcasts

4 suppressed verification drops

Wireshark Packet Capture Result

Loose Mode unsuccessful if source address is listed in routing table.

Configuring uRPF Strict Mode 36eb24a4-b7be-441f-9dc8-76d231756d39

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via rx
!
end
ping -c2 10.3.3.201
sudo hping3 --icmp --spoof 172.16.255.254 -c 2 10.3.3.201
sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
sudo hping3 --icmp --spoof 172.16.1.202 -c 2 10.3.3.201
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
ubuntu@ubuntu-0:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201) 56(84) bytes of data.
64 bytes from 10.3.3.201: icmp_seq=1 ttl=61 time=4.32 ms
64 bytes from 10.3.3.201: icmp_seq=2 ttl=61 time=3.90 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.908/4.116/4.324/0.208 ms
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.3.203 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.255.254 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
ubuntu@ubuntu-0:~$ sudo hping3 --icmp --spoof 172.16.1.202 -c 2 10.3.3.201
HPING 10.3.3.201 (enp0s2 10.3.3.201): icmp mode set, 28 headers + 0 data bytes

--- 10.3.3.201 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
R2#sh ip int gig0/1  
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 10.1.2.2/24
  Broadcast address is 255.255.255.255
  Address determined by configuration file
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: uRPF, MCI Check
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
  IP verify source reachable-via RX
   2 verification drops
   12 suppressed verification drops
   0 verification drop-rate
R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 48 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 2 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#sh ip int gig0/1 | sec IP verify source
  IP verify source reachable-via RX
   4 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec IP statistics      
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 52 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 4 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#

uRPF Loose Mode w/ default route 394ce034-f205-4ded-b8f4-abbced8c010f

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via any
!
no ip route 172.16.1.0 255.255.255.0 10.1.2.1
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
end
show ip route
show running-config interface GigabitEthernet 0/1
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/1
R2(config-if)#ip verify
R2(config-if)#ip verify unicas
R2(config-if)#ip verify unicast sou
R2(config-if)#ip verify unicast source rea
R2(config-if)#ip verify unicast source reachable-via an
R2(config-if)#ip verify unicast source reachable-via any 
R2(config-if)#exit
R2(config)#no ip route 172.16.1.0 255.255.255.0 10.1.2.1
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.1
R2(config)#end 
R2#sh ip ro
*Oct 31 04:31:56.893: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.2.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.2.1
      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
S        10.1.1.0/24 [1/0] via 10.1.2.1
C        10.1.2.0/24 is directly connected, GigabitEthernet0/1
L        10.1.2.2/32 is directly connected, GigabitEthernet0/1
C        10.2.3.0/24 is directly connected, GigabitEthernet0/0
L        10.2.3.2/32 is directly connected, GigabitEthernet0/0
S        10.3.3.0/24 [1/0] via 10.2.3.3
      172.16.0.0/24 is subnetted, 1 subnets
S        172.16.3.0 [1/0] via 10.2.3.3
R2#sh run int gig0/1
Building configuration...

Current configuration : 157 bytes
!
interface GigabitEthernet0/1
 ip address 10.1.2.2 255.255.255.0
 ip verify unicast source reachable-via any
 duplex auto
 speed auto
 media-type rj45
end

R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via ANY
   10 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec ip statistics
R2#sh ip traffic | sec ip statistic 
R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 60 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 10 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
  • server-2
:~$ hostname
server-2
:~$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 52:54:00:00:E0:1C  
          inet addr:172.16.1.202  Bcast:172.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1229 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:980 (980.0 B)  TX bytes:418442 (408.6 KiB)

:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.16.1.1      0.0.0.0         UG    0      0        0 eth0
127.0.0.1       *               255.255.255.255 UH    0      0        0 lo
172.16.1.0      *               255.255.255.0   U     0      0        0 eth0
:~$ ping 10.3.3.201 -c2
PING 10.3.3.201 (10.3.3.201): 56 data bytes

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
:~$ ping 10.3.3.201 -c2
PING 10.3.3.201 (10.3.3.201): 56 data bytes

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
:~$ erver-2
R2#sh ip int gig0/1 | sec IP verify 
  IP verify source reachable-via ANY
   14 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 60 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 14 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
ubuntu@ubuntu-0:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201) 56(84) bytes of data.
64 bytes from 10.3.3.201: icmp_seq=1 ttl=61 time=4.07 ms
64 bytes from 10.3.3.201: icmp_seq=2 ttl=61 time=4.55 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.079/4.318/4.557/0.239 ms
ubuntu@ubuntu-0:~$

Above example, default route is not allowed in uRPF.

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via any allow-default
!
end
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/1
R2(config-if)#ip veri
R2(config-if)#ip verify sou
R2(config-if)#ip verify uni
R2(config-if)#ip verify unicast sou
R2(config-if)#ip verify unicast source reac
R2(config-if)#ip verify unicast source reachable-via an
R2(config-if)#ip verify unicast source reachable-via any all
R2(config-if)#ip verify unicast source reachable-via any allow-de
R2(config-if)#ip verify unicast source reachable-via any allow-default 
R2(config-if)#end
R2#sh 
*Oct 31 04:40:48.375: %SYS-5-CONFIG_I: Configured from console by console
R2#sh run int gig0/1
Building configuration...

Current configuration : 171 bytes
!
interface GigabitEthernet0/1
 ip address 10.1.2.2 255.255.255.0
 ip verify unicast source reachable-via any allow-default
 duplex auto
 speed auto
 media-type rj45
end

R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via ANY, allow default
   14 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 64 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 14 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#
ubuntu@ubuntu-0:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201) 56(84) bytes of data.
64 bytes from 10.3.3.201: icmp_seq=1 ttl=61 time=3.70 ms
64 bytes from 10.3.3.201: icmp_seq=2 ttl=61 time=5.46 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.708/4.587/5.467/0.882 ms
:~$ ping 10.3.3.201 -c2
PING 10.3.3.201 (10.3.3.201): 56 data bytes
64 bytes from 10.3.3.201: seq=0 ttl=61 time=4.232 ms
64 bytes from 10.3.3.201: seq=1 ttl=61 time=4.087 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.087/4.159/4.232 ms
:~$ erver-2
R2#sh ip int gig0/1 | sec IP verify 
  IP verify source reachable-via ANY, allow default
   14 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 72 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 14 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path

Good.

uRPF Strict Mode w/ default route 2c48b3f3-b309-4f1b-84d0-831c256aadb1

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via rx
!
no ip route 172.16.1.0 255.255.255.0 10.1.2.1
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
end
show ip route
show running-config interface GigabitEthernet 0/1
show ip interface GigabitEthernet 0/1 | section IP verify source
show ip traffic | section IP statistics
ping -c2 10.3.3.201
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/1
R2(config-if)#ip veri
R2(config-if)#ip verify unicast
R2(config-if)#ip verify unicast sou
R2(config-if)#ip verify unicast source reach
R2(config-if)#ip verify unicast source reachable-via rx
R2(config-if)#exit
R2(config)#do sh run | i ip route
ip route 0.0.0.0 0.0.0.0 10.1.2.1
ip route 10.1.1.0 255.255.255.0 10.1.2.1
ip route 10.3.3.0 255.255.255.0 10.2.3.3
ip route 172.16.3.0 255.255.255.0 10.2.3.3
R2(config)#end
R2#
*Oct 31 04:52:50.719: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.2.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.2.1
      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
S        10.1.1.0/24 [1/0] via 10.1.2.1
C        10.1.2.0/24 is directly connected, GigabitEthernet0/1
L        10.1.2.2/32 is directly connected, GigabitEthernet0/1
C        10.2.3.0/24 is directly connected, GigabitEthernet0/0
L        10.2.3.2/32 is directly connected, GigabitEthernet0/0
S        10.3.3.0/24 [1/0] via 10.2.3.3
      172.16.0.0/24 is subnetted, 1 subnets
S        172.16.3.0 [1/0] via 10.2.3.3
R2#sh run int gig0/1
Building configuration...

Current configuration : 156 bytes
!
interface GigabitEthernet0/1
 ip address 10.1.2.2 255.255.255.0
 ip verify unicast source reachable-via rx
 duplex auto
 speed auto
 media-type rj45
end

R2#sh ip int gig0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 10.1.2.2/24
  Broadcast address is 255.255.255.255
  Address determined by configuration file
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
          
R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via RX
   14 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traf
R2#sh ip traf | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 72 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 14 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#
ubuntu@ubuntu-0:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201) 56(84) bytes of data.
64 bytes from 10.3.3.201: icmp_seq=1 ttl=61 time=4.16 ms
64 bytes from 10.3.3.201: icmp_seq=2 ttl=61 time=4.66 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.162/4.413/4.664/0.251 ms
ubuntu@ubuntu-0:~$
:~$ hostname
server-2
:~$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 52:54:00:00:E0:1C  
          inet addr:172.16.1.202  Bcast:172.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1382 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1296 (1.2 KiB)  TX bytes:468704 (457.7 KiB)

:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.16.1.1      0.0.0.0         UG    0      0        0 eth0
127.0.0.1       *               255.255.255.255 UH    0      0        0 lo
172.16.1.0      *               255.255.255.0   U     0      0        0 eth0
:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201): 56 data bytes

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
:~$ 
R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via RX
   14 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traf
R2#sh ip traf | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 72 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 14 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via RX
   16 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traf | sec IP statistics  
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 76 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 16 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#

Strict Mode without allow-default drops 172.16.1.0/24 packets because is matches only default route.

  • R2
configure terminal
!
interface GigabitEthernet 0/1
 ip verify unicast source reachable-via rx allow-default
!
end
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/1
R2(config-if)#ip verify unicast sour
R2(config-if)#ip verify unicast source reach
R2(config-if)#ip verify unicast source reachable-via rx all
R2(config-if)#ip verify unicast source reachable-via rx allow-?
allow-default  allow-self-ping  

R2(config-if)#ip verify unicast source reachable-via rx allow-defa
R2(config-if)#ip verify unicast source reachable-via rx allow-default 
R2(config-if)#end
R2#
*Oct 31 05:04:52.235: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip int gig0/1 | sec ip verify
R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via RX, allow default
   16 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traff | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 76 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 16 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#
R2#
R2#
R2#sh run int gig0/1              
Building configuration...

Current configuration : 170 bytes
!
interface GigabitEthernet0/1
 ip address 10.1.2.2 255.255.255.0
 ip verify unicast source reachable-via rx allow-default
 duplex auto
 speed auto
 media-type rj45
end

R2#
ubuntu@ubuntu-0:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201) 56(84) bytes of data.
64 bytes from 10.3.3.201: icmp_seq=1 ttl=61 time=3.96 ms
64 bytes from 10.3.3.201: icmp_seq=2 ttl=61 time=4.76 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 3.967/4.363/4.760/0.401 ms
ubuntu@ubuntu-0:~$
:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201): 56 data bytes
64 bytes from 10.3.3.201: seq=0 ttl=61 time=4.386 ms
64 bytes from 10.3.3.201: seq=1 ttl=61 time=4.742 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.386/4.564/4.742 ms
:~$ ping -c2 10.3.3.201
PING 10.3.3.201 (10.3.3.201): 56 data bytes
64 bytes from 10.3.3.201: seq=0 ttl=61 time=5.097 ms
64 bytes from 10.3.3.201: seq=1 ttl=61 time=4.789 ms

--- 10.3.3.201 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.789/4.943/5.097 ms
:~$ erver-2
R2#sh ip int gig0/1 | sec IP verify
  IP verify source reachable-via RX, allow default
   16 verification drops
   12 suppressed verification drops
   0 verification drop-rate

R2#sh ip traffic | sec IP statistics
IP statistics:
  Rcvd:  4 total, 0 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
         0 invalid hole
  Bcast: 0 received, 0 sent
  Mcast: 0 received, 0 sent
  Sent:  4 generated, 88 forwarded
  Drop:  0 encapsulation failed, 0 unresolved, 0 no adjacency
         4 no route, 16 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address
         0 physical broadcast
  Reinj: 0 in input feature path, 0 in output feature path
R2#

Now allowed from 172.16.1.0/24. But, be careful 172.16.255.254 also allowed and forwarded because matches default route and assumed can reach via inbound GigabitEthernet 0/1 interface.

Wireshark Packet Capture Result

References

tech/network/cisco/security/network-security/urpf/urpf.txt · Last modified: 2020/10/31 14:22 by wnoguchi