Reverse Path Forwarding - Unicast RPF (uRPF)

Unicast RPF (uRPF)

uRPF as defined in RFC 3704 is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from RFC 1918 private addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in DoS, DDoS, and network scanning to obfuscate the source of the scan.

uRPF extends this idea by utilizing the knowledge all routers must have to do their jobs using their routing information base (RIB) or forwarding information base (FIB) to help further restrict the possible sources addresses that should be seen on an interface. Packets are only forwarded if they come from router's best route to the source of a packet, ensuring that:

• Packets coming into an interface come from (potentially) valid hosts, as indicated by the corresponding entry in the routing table.
• Packets with source addresses that could not be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.

In cases of symmetric routing, routing where packets flow forward and reverse down the same path, and terminal networks with only one link this is a safe assumption and uRPF can be implemented without much fear of problems. It is particularly useful to implement RPF on routers interfaces that are connected to singly homed networks and terminal subnets as symmetric routing is guaranteed. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using bandwidth or reaching a router which is not configured for RPF and thus inappropriately forwarded.

Unfortunately, it is often the case on the larger Internet backbone that routing is asymmetric and the routing tables cannot be relied upon to point to the best route for a source to get to a router. Routing tables specify the best forward path and only in the symmetric case does that equate to the best reverse path. Because of this asymmetry it is important when implementing uRPF to be aware of the potential for asymmetry to exist to prevent accidental filtering of legitimate traffic.

RFC 3704 gives more details on how to extend the most basic "this source address must be seen in the routing table for the input interface" concept known as strict reverse path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.