Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
441442443444445446447448449450
428
Configuring IPv6 uRPF
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such
as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 132 Source address spoofing attack
As shown in Figure 132, an attacker on Router A sends the server (Router B) requests with a forged source
IPv6 address 2000::1 at a high rate, and Router B sends response packets to IPv6 address 2000::1
(Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects
Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
IPv6 uRPF can prevent these source address spoofing attacks by checking whether an interface that
receives a packet is the output interface of the FIB entry that matches the source address of the packet. If
not, uRPF considers it a spoofing attack and discards the packet.
IPv6 uRPF check modes
IPv6 uRPF supports strict and loose check modes.
Strict IPv6 uRPF check—To pass strict IPv6 uRPF check, the source address of a packet and the
receiving interface must match the destination address and output interface of an IPv6 FIB entry. In
some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.
Strict IPv6 uRPF is often deployed between a PE and a CE.
Loose IPv6 uRPF check—To pass loose IPv6 uRPF check, the source address of a packet must match
the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets,
but might let go attack packets. Loose IPv6 uRPF is often deployed between ISPs, especially in
asymmetrical routing.
Features
Default route—When a default route exists, all packets that fail to match a specific IPv6 FIB entry match
the default route during IPv6 uRPF check and thus are permitted to pass. If you allow using the default