Reverse path forwarding
Encyclopedia
Reverse path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast
routing
and to help prevent IP address spoofing
in unicast
routing.
and PIM-SM
to ensure loop-free forwarding of multicast packets. In multicast routing the decision to forward traffic is based upon source address and not on destination address as is the case with unicast routing. It does this by utilizing either a dedicated multicast routing table or alternatively the router's native unicast routing table.
When a multicast packet enters a router's interface it will lookup the list of networks that are reachable via that input interface i.e., it checks the reverse path of the packet. If the router finds a matching routing entry for the source IP of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in multicast for this multicast group. If the RPF check fails the packet will be dropped. As a result the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. RPF routers only forward packets that come into the interface that also hold the routing entry for the source of the packet, thus breaking any loop.
This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking must be integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a classic routing loop where packets will be forwarded in both directions until their IP TTL
s expire. Even considering TTL expiry, all types of routing loops are best avoided as they involve at least temporary network degradation.
The underlying assumptions of RPF check are:
In cases where the links are uni-directional, the reverse path approach can fail altogether.
, DDoS, and network scanning to obfuscate the source of the scan.
uRPF dramatically extends this idea by utilizing the knowledge all routers must have to do their jobs using their routing information base
(RIB) or forwarding information base
(FIB) to help further restrict the possible sources addresses that should be seen on an interface. Packets are only forwarded if they come from router's best route to the source of a packet, ensuring that:
In cases of symmetric routing, routing where packets flow forward and reverse down the same path, and terminal networks with only one link this is a safe assumption and uRPF can be implemented without much fear of problems. It is particularly useful to implement RPF on routers interfaces that are connected to singly homed networks and terminal subnets as symmetric routing is guaranteed. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using internet bandwidth or reaching a router which is not configured for RPF and thus inappropriately forwarded.
Unfortunately, it is often the case on the larger internet backbone that routing is asymmetric and you cannot count on the routing table to point to the best route for a source to get to a router. Routing tables specify best forward path and only in the symmetric case does that equate to the best reverse path. Because of this common asymmetry it is important when implementing uRPF to be aware of the potential for asymmetry to exist to prevent accidental filtering of legitimate traffic.
Any device using a default route
cannot use uRPF on the interface that the default route points to because all sources would be allowed to come from that interface and uRPF would not accomplish even as much as RFC 2827.
RFC 3704 gives more details on how to extend the most basic "this source address must be seen in the routing table for the input interface" concept known as strict reverse path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.
While uRPF is used as in ingress filtering mechanism, it is affected by reverse path forwarding.
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
routing
Routing
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
and to help prevent IP address spoofing
IP address spoofing
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
in unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
routing.
Multicast RPF
Multicast RPF, typically denoted simply as RPF, is used in conjunction with a multicast routing protocols such as MSDPMulticast Source Discovery Protocol
Multicast Source Discovery Protocol is a Protocol Independent Multicast family multicast routing protocol defined by Experimental RFC 3618. MSDP interconnects multiple IPv4 PIM Sparse-Mode domains which enables PIM-SM to have Rendezvous Point redundancy and inter-domain multicasting.MSDP uses...
and PIM-SM
Sparse multicast
Protocol Independent Multicast - Sparse-Mode is a protocol for efficiently routing Internet Protocol packets to multicast groups that may span wide-area and inter-domain internets...
to ensure loop-free forwarding of multicast packets. In multicast routing the decision to forward traffic is based upon source address and not on destination address as is the case with unicast routing. It does this by utilizing either a dedicated multicast routing table or alternatively the router's native unicast routing table.
When a multicast packet enters a router's interface it will lookup the list of networks that are reachable via that input interface i.e., it checks the reverse path of the packet. If the router finds a matching routing entry for the source IP of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in multicast for this multicast group. If the RPF check fails the packet will be dropped. As a result the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. RPF routers only forward packets that come into the interface that also hold the routing entry for the source of the packet, thus breaking any loop.
This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking must be integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a classic routing loop where packets will be forwarded in both directions until their IP TTL
Time to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
s expire. Even considering TTL expiry, all types of routing loops are best avoided as they involve at least temporary network degradation.
The underlying assumptions of RPF check are:
- It depends on unicast routing table, so unicast routing table must be correct and converged for RPF checks to work properly.
- It assumes that the path used from a sender to a router and the reversed path from the router back to the sender are symmetric. If they are not, RPF check would reject multicast traffic on the shortest path from the sender to the router. It leads to non-optimal multicast tree.
In cases where the links are uni-directional, the reverse path approach can fail altogether.
Unicast RPF (uRPF)
uRPF as defined in RFC 3704 is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from RFC 1918 private addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in DoSDOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
, DDoS, and network scanning to obfuscate the source of the scan.
uRPF dramatically extends this idea by utilizing the knowledge all routers must have to do their jobs using their routing information base
Routing table
In computer networking a routing table, or Routing Information Base , is a data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the...
(RIB) or forwarding information base
Forwarding Information Base
A forwarding information base , also known as a forwarding table, is most commonly used in network bridging, routing, and similar functions to find the proper interface to which the input interface should send a packet to be transmitted by the router.In contrast to routing information bases , also...
(FIB) to help further restrict the possible sources addresses that should be seen on an interface. Packets are only forwarded if they come from router's best route to the source of a packet, ensuring that:
- Packets coming into an interface come from (potentially) valid hosts, as indicated by the corresponding entry in the routing table.
- Packets with source addresses that could not be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.
In cases of symmetric routing, routing where packets flow forward and reverse down the same path, and terminal networks with only one link this is a safe assumption and uRPF can be implemented without much fear of problems. It is particularly useful to implement RPF on routers interfaces that are connected to singly homed networks and terminal subnets as symmetric routing is guaranteed. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using internet bandwidth or reaching a router which is not configured for RPF and thus inappropriately forwarded.
Unfortunately, it is often the case on the larger internet backbone that routing is asymmetric and you cannot count on the routing table to point to the best route for a source to get to a router. Routing tables specify best forward path and only in the symmetric case does that equate to the best reverse path. Because of this common asymmetry it is important when implementing uRPF to be aware of the potential for asymmetry to exist to prevent accidental filtering of legitimate traffic.
Any device using a default route
Default route
A default route, also known as the gateway of last resort, is the network route used by a router when no other known route exists for a given IP packet's destination address. All the packets for destinations not known by the router's routing table are sent to the default route...
cannot use uRPF on the interface that the default route points to because all sources would be allowed to come from that interface and uRPF would not accomplish even as much as RFC 2827.
RFC 3704 gives more details on how to extend the most basic "this source address must be seen in the routing table for the input interface" concept known as strict reverse path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.
Strict mode
In strict mode each incoming packet is tested against the FIB and if the incoming interface is not the best reverse path the packet check will fail. By default failed packets are discarded.Feasible mode
In Feasible mode, the FIB maintains alternate routes to a given ip address. If the incoming interface matches with any of the routes associated with the ip address, then the packet is forwarded. Otherwise the packet is dropped.Loose mode
In loose mode each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via any interface on that router.Unicast RPF confusion
RPF is often incorrectly defined as Reverse Path Filtering, particularly when it comes to unicast routing. This is an understandable misinterpretation of the acronym in that when RPF is used with unicast routing as in RFC 3704 traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered, however as per RFC 3704 the correct interpretation is that traffic is forwarded if it passes the RPF check. Several examples of the proper usage can be seen in documents by Juniper, Cisco, OpenBSD, and most importantly RFC 3704 which defines the use of RPF with unicast.While uRPF is used as in ingress filtering mechanism, it is affected by reverse path forwarding.