Content deleted Content added
review complete: rm broken and commercial |
cite web used; EL cleanup |
||
Line 2:
{{No footnotes|date=May 2019}}
'''Reverse-path forwarding (RPF)''' is a technique used in modern [[router (computing)|router]]s for the purposes of ensuring loop-free forwarding of [[multicast]] packets in [[multicast routing]] and to help prevent [[IP address spoofing]] in [[unicast]] routing.<ref>{{cite web
| title=Reverse Path Forwarding
| date=2010
| publisher=[[Juniper Networks]]
| access-date=2021-05-12}}</ref>
In standard unicast IP routing, the router forwards the packet away from the source to make progress along the distribution tree and prevent routing loops. In contrast, the router's multicast forwarding state runs more logically by organizing tables based on the reverse path, from the receiver back to the root of the distribution tree at the source of the multicast. This approach is known as reverse-path forwarding.
Line 19 ⟶ 24:
== Unicast RPF ==
'''Unicast RPF''' (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in [[denial of service|DoS]], [[distributed denial of service|DDoS]], and network scanning to obfuscate the source of the scan.<ref
| | | | access-date=2021-05-12}}</ref>
uRPF extends this idea by utilizing the knowledge all routers must have in their [[routing information base]] (RIB) or [[forwarding information base]] (FIB) to do their primary job, to help further restrict the possible source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could ''not'' be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.
Line 41 ⟶ 50:
RPF is often interpreted as reverse-path ''filtering'', particularly when it comes to unicast routing. This is an understandable alternate interpretation of the acronym in that when RPF is used with unicast routing as in RFC 3704, traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered. While uRPF is used as an ingress ''filtering'' mechanism, it is affected by reverse-path ''forwarding''.
Reverse path filters are typically used to disable asymmetric routing where an IP application has a different incoming and outgoing routing path. Its intent is to prevent a packet entering one interface from leaving via the other interfaces. Reverse-path Filtering is a feature of the [[Linux Kernel]].<ref
| url=https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/ | title=rp_filter and LPIC-3 Linux Security | | website=theurbanpenguin.com
| access-date=2021-05-12}}</ref>
== See also ==
Line 55 ⟶ 69:
* {{cite IETF |RFC=2827 |title=Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing}}
* {{cite IETF |RFC=3704 |title=Ingress Filtering for Multihomed Networks}}
▲* [http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol1/html/ip-multicast-config7.html#120398 Juniper Networks on multicast RPF]
[[Category:Routing]]
| |||