Reverse-path forwarding: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 10:06, 19 January 2024 edit 103.167.127.35 (talk) →Strict mode Tag: Reverted ← Previous edit		Latest revision as of 16:22, 11 August 2025 edit undo CoroneC0rnix-64 (talk \| contribs) 381 edits Link suggestions feature: 3 links added. Tags: Visual edit Newcomer task Suggested: add links
(9 intermediate revisions by 4 users not shown)
Line 2: {{No footnotes\|date=May 2019}} '''Reverse-path forwarding''' ('''RPF)''') is a technique used in modern [[router (computing)\|router]]s for the purposes of ensuring loop-free forwarding of [[multicast]] packets in [[multicast routing]] and to help prevent [[IP address spoofing]] in [[unicast]] routing.<ref>{{cite web \| url=https://www.juniper.net/documentation/software/erx/erx50x/swconfig-routing-vol1/html/ip-multicast-config7.html \| title=Reverse Path Forwarding Line 9: \| access-date=2021-05-12}}</ref> In standard unicast [[IP routing]], the router forwards the packet away from the source to make progress along the distribution tree and prevent routing loops. In contrast, the router's multicast forwarding state runs more logically by organizing tables based on the reverse path, from the receiver back to the root of the distribution tree at the source of the multicast. This approach is known as reverse-path forwarding. == Multicast RPF == Multicast RPF, typically denoted simply as RPF, is used in conjunction with a multicast [[routing protocol]] such as [[Multicast Source Discovery Protocol]] or [[Protocol Independent Multicast]] to ensure loop-free forwarding of multicast packets. In multicast routing, the decision to forward traffic is based upon source address and not on destination address as in unicast routing. It does this by utilizing either a dedicated multicast routing table or, alternatively, the router's unicast routing table. When a multicast packet enters a router's interface, the router looks up the list of networks that are reachable via that interface (i.e., it checks the paths by which the packet could have arrived). If the router finds a matching routing entry for the source IP address of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in that multicast group. If the RPF check fails, the packet is dropped. As a result, the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. By only forwarding packets that come into the interface that also holds the routing entry for the source of the packet, loops are prevented. Line 24: == Unicast RPF == '''Unicast RPF''' (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which it should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the [[Internet backbone]] as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in [[~~denial of service\|~~DoS]], [[~~distributed denial of service\|~~DDoS]], and network scanning to obfuscate the source of the scan.<ref>{{cite web \| url=https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding \| title=Understanding Unicast Reverse Path Forwarding Line 39: ===Strict mode=== In strict mode, each incoming packet is tested against the FIB and, if the ''incoming'' interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.{{efn\|name=command\|Example command on Cisco devices: ip verify unicast source reachable-via {rx} - Strict mode, {any} - loose ~~moda~~mode}} ===Feasible mode===