Revision as of 22:11, 15 January 2020 edit Kvng (talk \| contribs) Extended confirmed users, New page reviewers 116,086 edits review: formatting and wording improvements ← Previous edit		Revision as of 16:17, 24 March 2020 edit undo Kvng (talk \| contribs) Extended confirmed users, New page reviewers 116,086 edits review: convert list to prose. Next edit →
Line 15: # the unicast routing table is correct and stable and, # the path used from a sender to a router and the reverse path from the router back to the sender are symmetric. If the first assumption is false, the RPF check will fail because it depends upon the router's unicast routing table as a fallback. If the second assumption is false, the RPF check would reject multicast traffic on all but the shortest path from the sender to the router which would lead to a non-optimal multicast tree. In cases where the links are unidirectional, the reverse-path approach can fail altogether.~~<!--[[User:Kvng/RTH]]-->~~ == Unicast RPF ~~(uRPF)~~ == '''Unicast RPF''' (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in [[denial of service\|DoS]], [[distributed denial of service\|DDoS]], and network scanning to obfuscate the source of the scan. uRPF extends this idea by utilizing the knowledge all routers must have ~~to do their jobs using~~in their [[routing information base]] (RIB) or [[forwarding information base]] (FIB) to do their primary job, to help further restrict the possible ~~sources~~source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, ~~ensuring~~as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could ''not'' be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.<!--[[User:Kvng/RTH]]--> * packets coming into an interface come from (potentially) valid hosts, as indicated by the corresponding entry in the routing table. * packets with source addresses that could ''not'' be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source. In cases of symmetric routing, routing where packets flow forward and reverse down the same path, and terminal networks with only one link, this is a safe assumption and uRPF can be implemented without many anticipated problems. It is particularly useful to implement RPF on routers' interfaces that are connected to singly homed networks and terminal subnets as symmetric routing is guaranteed. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using bandwidth or reaching a router which is not configured for RPF and thus inappropriately forwarded.

Reverse-path forwarding: Difference between revisions