Application Scenarios for URPF

Application of Strict URPF on an ISP Network

In Figure 1, CE-1 on network A and CE-2 on network B are connected to PE-1 on the ISP network. URPF is enabled on Port1 and Port2 of PE-1 to protect the ISP network against source address spoofing attacks from Network A and Network B.

Figure 1 Schematic diagram of application of strict URPF on an ISP Network

In this example, a PC in Network A sends a request packet with the forged source address 2.2.2.2 to Network C. After receiving the request packet, PE-1 performs the URPF check based on the inbound interface and source address of the packet. PE-1 finds that the request packet should enter through Port2, but it entered through Port1. PE-1 considers the source address of the packet to be a bogus source address and discards the packet. In this manner, PE-1 is protected against the source address spoofing attack.

Application of Strict URPF Across ASs

In Figure 2, there is one path between AS1 and AS3 and another path between AS2 and AS3. URPF is enabled on Port1 and Port2 of Device C to protect AS3 against source address spoofing attacks launched by AS1 and AS2.

Figure 2 Schematic diagram of application of strict URPF across ASs

In this example, a PC in a network sends a request packet with the forged source address 2.2.2.2 to the server on the ISP. After receiving the request packet, Device C performs the URPF check on the packet based the source address and inbound interface of the packet. Device C finds that the request packet should enter through Port2, but it entered through Port1. Therefore, Device C considers the source address of the packet to be a bogus source address and discards the packet.

After normal packets sent to the server by a user in AS2 pass the URPF check, the packets are forwarded normally.

Application of Loose URPF on ISP Networks

Loose URPF is applicable to the scenario where a client is dual-homed to devices on an ISP network as well as the scenario where a client is dual-homed to devices on different ISP networks.

Figure 3 URPF application environment where a client is dual-homed to devices on an ISP network

In the example shown in Figure 3, multiple connections are set up between an enterprise network and an ISP to ensure reliability. In this case, symmetrical routes between the enterprise network and the ISP network cannot be ensured, and loose URPF must be used.

Scenario Where a Client Is Dual-Homed to Devices on Different ISP Networks

In the example shown in Figure 4, the enterprise network is connected to multiple ISP networks. It is difficult to ensure symmetrical routes between the enterprise network and two ISP networks. Therefore, loose URPF must be used.

Figure 4 URPF application environment where a client is dual-homed to devices on different ISP networks

URPF applied in the scenario where an enterprise network is connected to multiple ISP networks has the following characteristics:

  • If any special packet is required to pass the URPF check under all conditions, you can specify the source address in an ACL.

  • Many users' routers may have only one default route leading to an ISP network. Therefore, default routing entries should be configured.

Parent Topic: URPF Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >