URPF Fundamentals
URPF works by enabling a device to verify the reachability of the source address in a received packet. If the source IP address is unreachable, the packet is discarded.
In a complex network environment, URPF cannot work normally in the case of asymmetrical routes.
To counteract the problem, the NetEngine 8000 F supports two URPF modes:
Strict mode
Loose mode
Strict Mode
In strict URPF mode, a data packet can pass the URPF check only when the forwarding table contains a matching entry and the outbound interface of the entry matches the inbound interface of the packet.
After interface-based strict URPF is enabled on a router, the router searches the routing table for a matching entry based on the source IP (IPv6) address of a received data packet. If the router finds such an entry, the router compares the outbound interface of the entry with the inbound interface of the packet. If the two interfaces match, the router considers the packet to have passed the URPF check and forwards it normally. If no such entry is found in the routing table, or the outbound interface of the entry and the inbound interface of the packet do not match, the router considers the source address of the data packet to be a bogus source address and discards the data packet.
If there is only one path between two network edge routers, symmetrical routes can be assured. In this case, using strict URPF can ensure network security to the maximum extent.
In strict URPF mode, URPF check can be performed to match default routes, when there are no detailed routes but there are default routes. URPF is performed to check source address spoofing together with interface consistency.
Loose Mode
In loose URPF mode, a packet can pass the URPF check as long as there is a route with the destination address that is the source address of the packet, regardless of whether the outbound interface of the route and the inbound interface of the packet match.
After interface-based loose URPF is enabled on a router, the router searches the routing table for an entry based on the source IP (IPv6) address of a received data packet. If a matching entry is found, the data packet passes the URPF check and is forwarded normally. If no matching entry is found, the source address of the packet is considered to be a bogus source address, and the packet is discarded.
If there are multiple connections between two network edge devices, symmetrical routes cannot be assured. In this case, loose URPF can ensure network security to a certain extent.
In loose URPF mode, URPF check can also be performed to match default routes, when there are no detailed routes but there are default routes. However, the configuration has no actual significance, because loose URPF mode does not check interface consistency.
