Content deleted Content added
review: rm rep. reorg for focus. mv ref. |
→Unicast RPF: Fixed reference |
||
Line 19:
== Unicast RPF ==
'''Unicast RPF''' (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in [[denial of service|DoS]], [[distributed denial of service|DDoS]], and network scanning to obfuscate the source of the scan.<ref name="Cisco unicast-reverse-path-forwarding-1">{{citation |publisher=[[Cisco Systems]] |date=3 June 2015 |url=https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html |title=Understanding Unicast Reverse Path Forwarding |access-date=2020-12-30}}</ref>
uRPF extends this idea by utilizing the knowledge all routers must have in their [[routing information base]] (RIB) or [[forwarding information base]] (FIB) to do their primary job, to help further restrict the possible source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could ''not'' be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.
| |||