URPF Security

Overview

Unicast reverse path forwarding (URPF) mainly defends against network attacks launched through source IP address spoofing.

URPF searches the FIB table for the route to the source IP address of a packet and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address exists in the FIB table or the inbound interface of the packet is different from the outbound interface of the matching route, the packet is discarded. This ensures that the device is protected against malicious attacks launched through source IP address spoofing.

The device supports the following URPF check modes:

• Strict mode

  In this mode, the route to the source IP address of a packet must exist in the FIB table, and the inbound interface of the packet must be the same as the outbound interface of the route.

  You are advised to use the strict mode when the routing paths recorded on the local and remote devices are the same. For example, if there is only one path between two network edge devices, the strict mode can help ensure network security.

• Loose mode

  In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the FIB table.

  You are advised to use the loose mode when the routing paths recorded on the local and remote devices may be different. For example, if there are multiple paths between two network edge devices, the loose mode can help defend against network attacks and prevent valid packets from being discarded.

Impact on the System

If BFD and URPF are used together, URPF checks the source IP addresses of received BFD packets. You must manually specify source IP addresses bound to BFD sessions when configuring BFD for IP, so as to prevent BFD packets from being discarded incorrectly.