Reverse-path forwarding

Last updated

Reverse-path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing. [1]

Contents

In standard unicast IP routing, the router forwards the packet away from the source to make progress along the distribution tree and prevent routing loops. In contrast, the router's multicast forwarding state runs more logically by organizing tables based on the reverse path, from the receiver back to the root of the distribution tree at the source of the multicast. This approach is known as reverse-path forwarding.

Multicast RPF

Multicast RPF, typically denoted simply as RPF, is used in conjunction with a multicast routing protocol such as Multicast Source Discovery Protocol or Protocol Independent Multicast to ensure loop-free forwarding of multicast packets. In multicast routing, the decision to forward traffic is based upon source address and not on destination address as in unicast routing. It does this by utilizing either a dedicated multicast routing table or, alternatively, the router's unicast routing table.

When a multicast packet enters a router's interface, the router looks up the list of networks that are reachable via that interface (i.e., it checks the paths by which the packet could have arrived). If the router finds a matching routing entry for the source IP address of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in that multicast group. If the RPF check fails, the packet is dropped. As a result, the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. By only forwarding packets that come into the interface that also holds the routing entry for the source of the packet, loops are prevented.

This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking is integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a routing loop where packets will be forwarded in both directions until their IP TTLs expire. Routing loops are best avoided as they unnecessarily consume network resources.

The underlying assumptions of an RPF check are that,

  1. the unicast routing table is correct and stable and,
  2. the path used from a sender to a router and the reverse path from the router back to the sender are symmetric.

If the first assumption is false, the RPF check will fail because it depends upon the router's unicast routing table as a fallback. If the second assumption is false, the RPF check would reject multicast traffic on all but the shortest path from the sender to the router which would lead to a non-optimal multicast tree. In cases where the links are unidirectional, the reverse-path approach can fail altogether.

Unicast RPF

Unicast RPF (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which it should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in DoS, DDoS, and network scanning to obfuscate the source of the scan. [2]

uRPF extends this idea by utilizing the knowledge all routers must have in their routing information base (RIB) or forwarding information base (FIB) to do their primary job, to help further restrict the possible source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could not be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.

In cases of symmetric routing, routing where packets flow both directions through the same path, and terminal networks connected via a single link, this is a safe assumption and uRPF can be implemented without many anticipated problems. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using bandwidth or reaching a router that is not configured for RPF and thus inappropriately forwarded.

Unfortunately, it is often the case on the larger Internet backbone that routing is asymmetric and the routing tables cannot be relied upon to point to the best route for a source to get to a router. Routing tables specify the best forward path and only in the symmetric case does that equate to the best reverse path. It is important when implementing uRPF to be aware of the potential for asymmetry to prevent accidental filtering of legitimate traffic.

RFC 3704 gives more details on how to extend strict reverse-path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.

Strict mode

In strict mode, each incoming packet is tested against the FIB and, if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded. [lower-alpha 1]

Feasible mode

In feasible mode, the FIB maintains alternate routes to a given IP address. If the incoming interface matches with any of the routes associated with the IP address, then the packet is forwarded. Otherwise, the packet is dropped.

Loose mode

In loose mode each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via any interface on that router. [lower-alpha 1]

Filtering vs. forwarding

RPF is often interpreted as reverse-path filtering, particularly when it comes to unicast routing. This is an understandable alternate interpretation of the acronym in that when RPF is used with unicast routing as in RFC 3704, traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered. While uRPF is used as an ingress filtering mechanism, it is affected by reverse-path forwarding.

Reverse path filters are typically used to disable asymmetric routing where an IP application has a different incoming and outgoing routing path. Its intent is to prevent a packet entering one interface from leaving via the other interfaces. Reverse-path Filtering is a feature of the Linux Kernel. [3]

See also

Notes

  1. 1 2 Example command on Cisco devices: ip verify unicast source reachable-via {rx} - Strict mode, {any} - loose mode

Related Research Articles

<span class="mw-page-title-main">Router (computing)</span> Device that forwards data packets between computer networks

A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions between networks and on the global Internet. Data sent through a network, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork until it reaches its destination node.

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

<span class="mw-page-title-main">Routing table</span> Data table stored in a router that lists the routes to network destinations

In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use. The areas of unallocated address space are called the bogon space.

The Resource Reservation Protocol (RSVP) is a transport layer protocol designed to reserve resources across a network using the integrated services model. RSVP operates over an IPv4 or IPv6 and provides receiver-initiated setup of resource reservations for multicast or unicast data flows. It does not transport application data but is similar to a control protocol, like Internet Control Message Protocol (ICMP) or Internet Group Management Protocol (IGMP). RSVP is described in RFC 2205.

<span class="mw-page-title-main">Protocol Independent Multicast</span> Multicast routing protocol

Protocol-Independent Multicast (PIM) is a family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other routing protocols. PIM is not dependent on a specific unicast routing protocol; it can make use of any unicast routing protocol in use on the network. PIM does not build its own routing tables. PIM uses the unicast routing table for reverse-path forwarding.

The Distance Vector Multicast Routing Protocol (DVMRP), defined in RFC 1075, is a routing protocol used to share information between routers to facilitate the transportation of IP multicast packets among networks. It formed the basis of the Internet's historic multicast backbone, Mbone.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. It is the IP-specific form of multicast and is used for streaming media and other network applications. It uses specially reserved multicast address blocks in IPv4 and IPv6.

In computer networking, a host model is an option of designing the TCP/IP stack of a networking operating system like Microsoft Windows or Linux. When a unicast packet arrives at a host, IP must determine whether the packet is locally destined. If the IP stack is implemented with a weak host model, it accepts any locally destined packet regardless of the network interface on which the packet was received. If the IP stack is implemented with a strong host model, it only accepts locally destined packets if the destination IP address in the packet matches an IP address assigned to the network interface on which the packet was received.

In computer networking, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker's packets contain fake IP addresses. Spoofing is often used in denial-of-service attacks, and mitigating these is a primary application of ingress filtering.

Forwarding may refer to:

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

Named Data Networking (NDN) is a proposed Future Internet architecture inspired by years of empirical research into network usage and a growing awareness of unsolved problems in contemporary internet architectures like IP. NDN has its roots in an earlier project, Content-Centric Networking (CCN), which Van Jacobson first publicly presented in 2006. The NDN project is investigating Jacobson's proposed evolution from today's host-centric network architecture IP to a data-centric network architecture (NDN). The belief is that this conceptually simple shift will have far-reaching implications for how people design, develop, deploy, and use networks and applications.

In network routing, the control plane is the part of the router architecture that is concerned with establishing the network topology, or the information in a routing table that defines what to do with incoming packets. Control plane functions, such as participating in routing protocols, run in the architectural control element. In most cases, the routing table contains a list of destination addresses and the outgoing interface(s) associated with each. Control plane logic also can identify certain packets to be discarded, as well as preferential treatment of certain packets for which a high quality of service is defined by such mechanisms as differentiated services.

<span class="mw-page-title-main">Forwarding plane</span>

In routing, the forwarding plane, sometimes called the data plane or user plane, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the router looks up the destination address of the incoming packet and retrieves the information necessary to determine the path from the receiving element, through the internal forwarding fabric of the router, and to the proper outgoing interface(s).

IEEE 802.1aq is an amendment to the IEEE 802.1Q networking standard which adds support for Shortest Path Bridging (SPB). This technology is intended to simplify the creation and configuration of Ethernet networks while enabling multipath routing.

A routing bridge or RBridge, also known as a TRILL switch, is a network device that implements the TRILL protocol, as specified by the IETF and should not be confused with BRouters. RBridges are compatible with previous IEEE 802.1 customer bridges as well as IPv4 and IPv6 routers and end nodes. They are invisible to current IP routers and, like routers, RBridges terminate the bridge spanning tree protocol.

<span class="mw-page-title-main">Multicast routing</span> Computer networking protocol for forwarding transmissions from one sender to multiple receivers

Multicast routing is one of the routing protocols in IP networking.

References

  1. "Reverse Path Forwarding". Juniper Networks. 2010. Retrieved 2021-05-12.
  2. "Understanding Unicast Reverse Path Forwarding". Cisco Systems . Retrieved 2021-05-12.
  3. "rp_filter and LPIC-3 Linux Security". theurbanpenguin.com. 2020-08-27. Retrieved 2021-05-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.