Unicast RPF

What is Unicast RPF?

Unicast Reverse Path Forwarding (RPF) enhances network security by mitigating issues caused by malformed or spoofed IP source addresses. It discards IP packets that lack verifiable source information, effectively reducing the risk of malicious traffic. Common denial-of-service (DoS) attacks, such as Smurf and Tribal Flood Network (TFN), exploit forged or rapidly changing source IP addresses to evade detection. Unicast RPF addresses this by allowing devices to verify the reachability of source addresses and forwarding only packets with valid addresses consistent with the IP routing table. This protective measure safeguards the networks of ISPs, their customers, and the broader Internet.

Unicast RPF Functionality

When Unicast RPF is activated on a device's interface, it analyzes all incoming packets to ensure their source address and interface align with the routing table. This "backward" checking is feasible only with Express Forwarding, which generates a Forwarding Information Base (FIB) necessary for this lookup. Unicast RPF operates solely on the input interface at the upstream end.

Unicast RPF performs a reverse lookup in the Express Forwarding table to verify if the received packet comes from the best return path to its source. If it does, the packet is forwarded normally. However, if no valid return path exists on the incoming interface, the source address may have been altered. Notably, Unicast RPF recognizes all equal-cost return paths as valid, supporting multiple paths as long as they share the same routing cost and are present in the FIB, and it is also compatible with Enhanced Interior Gateway Routing Protocol (EIGRP) variants.

Before forwarding a packet on an interface with Unicast RPF and ACLs configured, the following checks are performed:

• 1. Check for input ACLs on the inbound interface.

• 2. Verify the packet's arrival via the best return path through a reverse lookup in the FIB.

• 3. Look up the Express Forwarding table for forwarding.

• 4. Inspect output ACLs on the outbound interface.

• 5. Forward the packet.

Two Modes of Unicast RPF: Strict and Loose

In RPF Strict mode, the router checks the source address against its routing table and expects packets to arrive on the interface that would be used to forward responses back to the source. This approach is effective in symmetrical networks but can lead to packet loss if a legitimate route does not match the expected interface.

Conversely, Loose Mode relaxes this requirement, allowing the router to verify the source address of incoming packets without considering the specific interface. This mode enhances DDoS resistance by enabling routers to drop packets with invalid source addresses, such as private or unallocated IPs. Loose mode allows for more flexible checks, making it particularly useful for ISPs managing multiple connections, as it helps ensure only legitimate packets are forwarded, thereby increasing resilience against spoofed address attacks.

How Does Unicast RPF Works?

Each time a packet is either dropped or forwarded at an interface, the event is recorded both globally on the router and at each interface with Unicast RPF applied. While global statistics indicate potential network attacks, they do not pinpoint the specific interface involved.

Per-interface statistics enable network administrators to monitor malformed packets through two metrics: Unicast RPF drops and Unicast RPF suppressed drops. The drop count identifies the entry point of an attack by tracking how many packets were discarded at the interface. In contrast, the suppressed drop count reflects packets that failed the Unicast RPF check but were permitted due to ACL settings. Together, these statistics assist administrators in isolating attacks to specific interfaces.

The following figures illustrate how Unicast RPF and CEF collaborate to validate IP source addresses by checking packet return paths. For example, if a packet with a source address of 192.168.1.1 is sent from interface FDDI 2/0/0, Unicast RPF verifies its path in the FIB. If a matching path exists, the packet is forwarded; if not, it is dropped.

Similarly, when a packet from source address 209.165.200.225 is received at interface FDDI 2/0/0, Unicast RPF checks for a return path. In this instance, without a reverse entry in the routing table, the packet is dropped.

Rules for Effectively Implementing Unicast RPF

When implementing Unicast RPF, adhere to the following rules:

• Packets must arrive at an interface that provides the best return path to their source, a concept known as symmetric routing. The route in the FIB must correspond to the receiving interface. Ensure this route is established through dynamic or static routing or by using a network statement.

• The IP source addresses at the receiving interface must align with the routing entry for that interface.

• Unicast RPF functions as an input mechanism and should be applied at the input interface of a device at the upstream end of a connection.

Network administrators can utilize Unicast RPF for both customer networks and their downstream ISPs, even if those ISPs have alternative connections to the Internet. However, be cautious: modifying the best path to source addresses using optional Border Gateway Protocol (BGP) attributes, such as weight and local preference, can affect the effectiveness of Unicast RPF.

Restrictions of Unicast RPF

Unicast RPF has certain limitations, including the lack of support for ACL templates. For multihomed clients, some key restrictions apply:

Clients should not be multihomed on the same device, as this undermines the goal of providing redundancy. Additionally, packets sent upstream (out to the Internet) must match the routes advertised through the link; otherwise, Unicast RPF will classify these packets as malformed and filter them out.