Unicast Reverse Path Forwarding check on 7210 SAS-K 3SFP+ 8C

The Unicast Reverse Path Forwarding Check (Unicast RPF) feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. The feature works by discarding IP packets that lack a verifiable IP source address. For example, common types of denial-of-service (DoS) attacks, including smurf and tribe flood network (TFN), can use forged or rapidly changing source addresses to thwart efforts to locate or filter the attacks. ISPs that provide public access can use Unicast RPF to deflect such attacks by only forwarding packets with source IP addresses that are valid and consistent with the IP routing table. This protects the network of the ISP, its customer, and the rest of the Internet.

Unicast RPF is supported for both IPv4 and IPv6 on access ports only. It is supported on any IP interface configured in the IES and VPRN services.

Unicast RPF has two modes: strict and loose, but the 7210 SAS-K 3SFP+ 8C supports only strict mode in this release.

In strict mode, Unicast RPF checks whether there is a matching prefix entry for the source address of the incoming packet in the routing table, and whether the interface expects to receive a packet with this source address prefix. If urpf-check is enabled on the interface, all interfaces are assumed to be enabled for strict mode Unicast RPF check.

In the case of ECMP, the 7210 SAS-K 3SFP+ 8C allows a packet received on an IP interface configured in strict mode Unicast RPF to be forwarded, if the IP interface on which the packet is received matches any one of the interfaces used by that ECMP route.

If there is a default route, the following is included in the Unicast RPF check:

If the source IP address matches a discard/blackhole route, the packet is treated as if it failed the Unicast RPF check.

Parent topic: Configuring IP router parameters