Local Unicast Reverse Path Find (URPF) obtains the source address and inbound interface of a packet. Local URPF then uses the source address as the destination address to retrieve the corresponding inbound interface in the FIB and checks whether the retrieved interface matches the inbound interface. In this manner, local URPF can effectively protect the device against malicious attacks by blocking packets from bogus source addresses.
Generally, upon receiving a packet, the device searches for a route according to the destination address of the packet. If the route is available, the packet is forwarded; otherwise, the packet is dropped. Local URPF obtains the source address and inbound interface of the packet. URPF then uses the source address as the destination address to retrieve the corresponding inbound interface in the FIB and checks whether the retrieved interface matches the inbound interface. If they do not match, URPF considers the source address to be a spoofing address and discards the packet.
The mode of local URPF can be any of the following:
Strict mode: If a packet precisely matches a route (default route excluded), and the incoming interface of the packet is the outgoing interface of the route, the packet is delivered to the protocol stack/CPU or forwarded; otherwise, the packet is discarded.
Loose mode: If a packet precisely matches a route (default route excluded), the packet is delivered to the protocol stack/CPU or forwarded; otherwise, the packet is discarded.
Strict and default route mode: If a packet matches a detailed route or the default route, and the incoming interface of the packet is the outgoing interface of the matching route, the packet is delivered to the protocol stack/CPU or forwarded; otherwise, the packet is discarded.
Loose and default route: If a packet matches a detailed route or the default route, the packet is delivered to the protocol stack/CPU or forwarded; otherwise, the packet is discarded.
Interface-level local URPF: strict, loose, strict + default, or loose + default mode.
Flow-based local URPF: strict, loose, strict + default, or loose + default mode.
The mechanism of local URPF is to search the FIB according to the source IP address of the packet. When a Layer 3 IP packet enters the Network Processor (NP) from a network interface, the device searches the FIB for a matching route. If a local route is successfully matched, the device sends the packet to the CP for further processing. Otherwise, the device forwards the packet. Before a packet is delivered to the CP or forwarded, local URPF obtains the source address and inbound interface of the packet. URPF then uses the source address as the destination address to retrieve the corresponding interface in the FIB and checks whether the retrieved interface matches the inbound interface.