Building Network Automation Solutions
6 week online course starting in September 2017

Does uRPF Make Sense in Internet Service Provider Networks?

Every time someone wonders about the viability of unicast reverse path forwarding (uRPF) as source address validation technique at the edge of an ISP network, someone else inevitably claims it can’t possibly work due to asymmetrical routing issues. Is the situation really so black-and-white?

What Is uRPF?

uRPF is a very simple (and crude) source IP address validation mechanism. It uses IP routing table to verify whether the source IP address of an incoming packet makes sense:

  • Strict uRPF requires a match between the input interface and the FIB next-hop interface for the source IP address;
  • Loose uRPF requires the presence of a prefix matching source IP address in the FIB. Default route may or may not be considered a match.

What can uRPF check?

Strict uRPF is ideal when you want to check the traffic coming from a user with a single uplink. As the user has a single uplink, the only path to reach the user is through the provider edge (PE) router performing the uRPF check. If the source IP address of an incoming packet doesn’t match the reverse path, the user is obviously trying to spoof its source IP address.

Strict uRPF may drop legitimate packets of multihomed customers when the customer wants its upstream ISPs to prefer one of the uplinks, but sends the outbound packets over another uplink. It fares no better in any environment with asymmetrical routing (pretty common in the Internet core).

Loose uRPF will catch packets sent from dark address space, but won’t stop source IP address spoofing using legitimate globally-reachable IP addresses. It’s becoming quite useless in the IPv4 world (most of the available IPv4 space is advertised to the global Internet).

Is uRPF useful?

As always, the only correct answer is “it depends.” Strict uRPF is the ideal tool to use on PE routers that use static routing toward the customers (most residential and SMB customers). These customers are also least likely to have proper security and are thus most exposed to botnet exploits. Running uRPF on these links is mandatory (IMHO), but of course few ISPs do it (because it requires an extra configuration line?).

Strict uRPF is pretty useless on inter-ISP links, and loose uRPF is not much better in IPv4 world. Loose uRPF might still make sense in IPv6 world.

Any other scenarios/thoughts? Please share them in the comments.

More information

The following two RFCs are mandatory reading for anyone designing or running an ISP network:

8 comments:

  1. Interesting article, as always Ivan.

    uRPF has been enhanced though: "It will also work if the customer is multihomed to the ISP or multiple ISPs. Unicast RPF will also work on links to Internet exchange points (IXPs).
    What does not work in the uRPF original “strict mode” implementation is if uRPF is applied on routers with multiple connections to multiple ISPs.": http://www.cisco.com/web/about/security/intelligence/urpf.pdf

    ReplyDelete
    Replies
    1. Thanks for the link. Definitely an interesting document, and I love the pseudocode on page 7, but it defines "loose mode" uRPF that I already mentioned in the article, so it was an enhancement 8 years ago when the document was published, but is old news by now.

      Delete
  2. Hi Ivan,
    i would mention that is important to stress the importance/availability of uRPF for IPv6 (it is not always available from all vendors).

    ReplyDelete
  3. Even with uRPF in loose mode if you route a block to Null0 it will still Null route it. This makes Source based Real Time Blacking Listing work even in loose mode. Being able to block inbound abuse without having to modify ACLs has been very useful to me.

    http://packetlife.net/blog/2010/aug/23/source-based-rtbh/

    ReplyDelete
  4. There is also Feasible path uRPF, which is a good compromise between strict and loose. This option is not supported on IoS (last time I checked), but it is supported on other platforms (e.g Junos). Feasible path uRPF will discard the packet unless *a* route (not necessarily the best) to the source address is through the interface on which the packet was received. For loose, the route just has to exist. The inbound interface is not considered.

    ReplyDelete
  5. I run across issues with this almost every month or two, with XYZ provider/ISP running uRPF and not really understanding the problems it can bring. Asymmetric routing breaks it and then they wonder why customers complain about not being able to get to stuff.

    ReplyDelete
  6. As Brian suggests, loose uRPF can be helpfull to block DOS attacks on your network. By enabling uRPF on all your upstream links, you can use Null routes to stop traffic at the edge of your netwerk.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.