Understanding Unicast RPF for EX Series Switches
Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source address of each packet that arrives on an ingress interface where unicast RPF is enabled. It also helps ensure that traffic arriving on ingress interfaces comes from a network source that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving interface is the best return path to the packet's unicast source address. This is known as strict mode unicast RPF. The switch applies unicast RPF globally to all interfaces. Therefore, you should enable unicast RPF only on switches with all symmetrically routed interfaces. (A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination.)
This topic covers:
Unicast RPF for EX Series Switches Overview
Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces.
Strict mode unicast RPF is especially useful on untrusted interfaces. An untrusted interface is an interface where untrusted users or processes can place packets on the network segment.
The switch supports only the active paths method of determining the best return path back to a unicast source address. The active paths method looks up the best reverse path entry in the forwarding table. It does not consider alternate routes specified using routing-protocol-specific methods when determining the best return path.
If the forwarding table lists the receiving interface as the interface to use to forward the packet back to its unicast source, it is the best return path interface. Strict mode unicast RPF recognizes only one best return path to a unicast source address.
Use strict mode unicast RPF only on switches with all symmetrically routed interfaces. (For information about symmetrically routed interfaces, see When to Enable Unicast RPF.)
For more information about strict unicast RPF, see RFC 3704, Ingress Filtering for Multihomed Networks at http://www.ietf.org/rfc/rfc3704.txt.
Unicast RPF Implementation for EX Series Switches
- Global Unicast RPF Implementation
- Unicast RPF Packet Filtering
- Bootstrap Protocol (BOOTP) and DHCP Requests
- Default Route Handling
Global Unicast RPF Implementation
The switch implements unicast RPF on a global basis. Unicast RPF is globally disabled by default. You cannot enable unicast RPF on a per-interface basis.
- When you enable unicast RPF on any interface, it is automatically enabled on all switch interfaces, including link aggregation groups (LAGs) and routed VLAN interfaces (RVIs).
- When you disable unicast RPF on the interface (or interfaces) on which you enabled unicast RPF, it is automatically disabled on all switch interfaces.
 |
Note: You must explicitly disable unicast RPF on every interface on which it was explicitly enabled or unicast RPF remains enabled on all switch interfaces. |
Unicast RPF Packet Filtering
When you enable unicast RPF on the switch, the switch handles traffic in the following manner:
- If the switch receives a packet on the interface that is the best return path to the unicast source address of that packet, the switch forwards the packet.
- If the best return path from the switch to the packet's unicast source address is not the receiving interface, the switch discards the packet.
- If the switch receives a packet that has a source IP address that does not have a routing entry in the forwarding table, the switch discards the packet.
Bootstrap Protocol (BOOTP) and DHCP Requests
Bootstrap protocol and DHCP request packets are sent with a broadcast MAC address and therefore the switch does not perform unicast RPF checks on them. The switch forwards all BOOTP packets and DHCP request packets without performing unicast RPF checks.
Default Route Handling
If the best return path to the source is the default route (0.0.0.0) and the default route points to “reject”,
the switch discards all unicast RPF packets. If the default route
points to a valid network interface, the switch performs a normal
unicast RPF check on the packets.
When to Enable Unicast RPF
Enable unicast RPF when you want to ensure that traffic arriving on a network interface comes from a source that resides on a network that that interface can reach. You can enable unicast RPF on untrusted interfaces to filter spoofed packets. For example, a common application for unicast RPF is to help defend an enterprise network from DoS/DDoS attacks coming from the Internet.
Enable unicast RPF only on symmetrically routed interfaces. A symmetrically routed interface uses the same route in both directions between the source and the destination, as shown in Figure 1. Symmetrical routing means that if an interface receives a packet, the switch uses the same interface to send a reply to the packet source (the receiving interface matches the forwarding-table entry for the best return path to the source).
Figure 1: Symmetrically Routed Interfaces
Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces receive a packet and reply to its source) results in packets from legitimate sources being filtered (discarded) because the best return path is not the same interface that received the packet.
The following switch interfaces are most likely to be symmetrically routed and thus are candidates for unicast RPF enabling:
- The service provider edge to a customer
- The customer edge to a service provider
- A single access point out of the network (usually on the network perimeter)
- A terminal network that has only one link
|
Note: Because unicast RPF is enabled globally on the switch, ensure that all interfaces are symmetrically routed before you enable unicast RPF. Enabling unicast RPF on asymmetrically routed interfaces results in packets from legitimate sources being filtered. |
 |
Tip: Enabling unicast RPF as close as possible to the traffic source stops spoofed traffic before it can proliferate or reach interfaces that do not have unicast RPF enabled. |
|
It is best to enable unicast RPF explicitly on either all interfaces or only one interface:
|
When Not to Enable Unicast RPF
Typically, you will not enable unicast RPF if:
- Switch interfaces are multihomed.
- Switch interfaces are trusted interfaces.
- BGP is carrying prefixes and some of those prefixes are not advertised or are not accepted by the ISP under its policy. (The effect in this case is the same as filtering an interface by using an incomplete access list.)
- Switch interfaces face the network core. Core-facing interfaces are usually asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, as shown in Figure 2. This means that if an interface receives a packet, that interface does not match the forwarding table entry as the best return path back to the source. If the receiving interface is not the best return path to the source of a packet, unicast RPF causes the switch to discard the packet even though it comes from a valid source.
Figure 2: Asymmetrically Routed Interfaces
|
Note: Do not enable unicast RPF if any switch interfaces are asymmetrically routed because unicast RPF is enabled globally on all interfaces. All switch interfaces must be symmetrically routed for you to enable unicast RPF without the risk of the switch's discarding traffic that you want to forward. |
ECMP Traffic Handling with Unicast RPF Enabled
The switch does not perform unicast RPF filtering on equal-cost multipath (ECMP) traffic. The unicast RPF check examines only one best return path to the packet source, but ECMP traffic employs an address block consisting of multiple paths. Using unicast RPF to filter ECMP traffic can result in the switch's discarding packets that you want to forward because the unicast RPF filter does not examine the entire ECMP address block.
