Reverse-path forwarding: Difference between revisions
No edit summary |
m Kvng moved page Reverse-Path Forwarding to Reverse-path forwarding over redirect: Fix grammar |
||
| (124 intermediate revisions by 76 users not shown) | |||
| Line 1: | Line 1: | ||
{{short description|Multicast routing technique to minimize loops and enhance security}} |
|||
'''Reverse-path forwarding (RPF)''' is a technique used in [[multicast]] [[routing]]. It is utilized to build source-specific forwarding paths ('''[[shortest path tree|SPT]]''', ''shortest path tree''), amongst which the traffic can flow more efficiently. [[Source specific multicast]] makes immediate use of this. [[Any source multicast]] usually switches from a centralized tree to the SPT on certain predefined conditions and for each source individually. |
|||
{{No footnotes|date=May 2019}} |
|||
'''Reverse-path forwarding''' ('''RPF''') is a technique used in modern [[router (computing)|router]]s for the purposes of ensuring loop-free forwarding of [[multicast]] packets in [[multicast routing]] and to help prevent [[IP address spoofing]] in [[unicast]] routing.<ref>{{cite web |
|||
This functionality is achieved by issuing source-specific joins towards the source, using the source address to look up an unicast / MRIB routing table entry. This continues router by router until the source is reached. The source and the routers in between now start forwarding the traffic towards the direction the original join came ''from''. The result is that the traffic is forwarded along the ''reverse path'' from the source back to the listener. |
|||
| url=https://www.juniper.net/documentation/software/erx/erx50x/swconfig-routing-vol1/html/ip-multicast-config7.html |
|||
| title=Reverse Path Forwarding |
|||
| date=2010 |
|||
| publisher=[[Juniper Networks]] |
|||
| access-date=2021-05-12}}</ref> |
|||
In standard unicast IP routing, the router forwards the packet away from the source to make progress along the distribution tree and prevent routing loops. In contrast, the router's multicast forwarding state runs more logically by organizing tables based on the reverse path, from the receiver back to the root of the distribution tree at the source of the multicast. This approach is known as reverse-path forwarding. |
|||
While with symmetric routing, the reverse path is the same as the forward path, this is not necessarily true with asymmetric routing. Because the Internet is routed asymmetrically, the paths show significant differences quite often. |
|||
== Multicast RPF == |
|||
Multicast RPF, typically denoted simply as RPF, is used in conjunction with a multicast routing protocol such as [[Multicast Source Discovery Protocol]] or [[Protocol Independent Multicast]] to ensure loop-free forwarding of multicast packets. In multicast routing, the decision to forward traffic is based upon source address and not on destination address as in unicast routing. It does this by utilizing either a dedicated multicast routing table or, alternatively, the router's unicast routing table. |
|||
When a multicast packet enters a router's interface, the router looks up the list of networks that are reachable via that interface (i.e., it checks the paths by which the packet could have arrived). If the router finds a matching routing entry for the source IP address of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in that multicast group. If the RPF check fails, the packet is dropped. As a result, the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. By only forwarding packets that come into the interface that also holds the routing entry for the source of the packet, loops are prevented. |
|||
This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking is integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a [[routing loop]] where packets will be forwarded in both directions until their IP [[Time to live|TTL]]s expire. Routing loops are best avoided as they unnecessarily consume network resources. |
|||
The underlying assumptions of an RPF check are that, |
|||
# the unicast routing table is correct and stable and, |
|||
# the path used from a sender to a router and the reverse path from the router back to the sender are symmetric. |
|||
If the first assumption is false, the RPF check will fail because it depends upon the router's unicast routing table as a fallback. If the second assumption is false, the RPF check would reject multicast traffic on all but the shortest path from the sender to the router which would lead to a non-optimal multicast tree. In cases where the links are unidirectional, the reverse-path approach can fail altogether. |
|||
== Unicast RPF == |
|||
'''Unicast RPF''' (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which it should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in [[DoS]], [[DDoS]], and network scanning to obfuscate the source of the scan.<ref>{{cite web |
|||
| url=https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding |
|||
| title=Understanding Unicast Reverse Path Forwarding |
|||
| publisher=[[Cisco Systems]] |
|||
| access-date=2021-05-12}}</ref> |
|||
uRPF extends this idea by utilizing the knowledge all routers must have in their [[routing information base]] (RIB) or [[forwarding information base]] (FIB) to do their primary job, to help further restrict the possible source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could ''not'' be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source. |
|||
In cases of symmetric routing, routing where packets flow both directions through the same path, and terminal networks connected via a single link, this is a safe assumption and uRPF can be implemented without many anticipated problems. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using bandwidth or reaching a router that is not configured for RPF and thus inappropriately forwarded. |
|||
Unfortunately, it is often the case on the larger Internet backbone that routing is asymmetric and the routing tables cannot be relied upon to point to the best route for a source to get to a router. Routing tables specify the best forward path and only in the symmetric case does that equate to the best reverse path. It is important when implementing uRPF to be aware of the potential for asymmetry to prevent accidental filtering of legitimate traffic. |
|||
RFC 3704 gives more details on how to extend strict reverse-path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry. |
|||
===Strict mode=== |
|||
In strict mode, each incoming packet is tested against the FIB and, if the ''incoming'' interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.{{efn|name=command|Example command on Cisco devices: ip verify unicast source reachable-via {rx} - Strict mode, {any} - loose mode}} |
|||
===Feasible mode=== |
|||
In feasible mode, the FIB maintains alternate routes to a given IP address. If the ''incoming'' interface matches with any of the routes associated with the IP address, then the packet is forwarded. Otherwise, the packet is dropped. |
|||
===Loose mode=== |
|||
In loose mode each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via ''any'' interface on that router.{{efn|name=command}} |
|||
== {{anchor|Filtering}}Filtering vs. forwarding == |
|||
RPF is often interpreted as reverse-path ''filtering'', particularly when it comes to unicast routing. This is an understandable alternate interpretation of the acronym in that when RPF is used with unicast routing as in RFC 3704, traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered. While uRPF is used as an ingress ''filtering'' mechanism, it is affected by reverse-path ''forwarding''. |
|||
Reverse path filters are typically used to disable asymmetric routing where an IP application has a different incoming and outgoing routing path. Its intent is to prevent a packet entering one interface from leaving via the other interfaces. Reverse-path Filtering is a feature of the [[Linux Kernel]].<ref>{{cite web |
|||
| url=https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/ |
|||
| title=rp_filter and LPIC-3 Linux Security |
|||
| date=2020-08-27 |
|||
| website=theurbanpenguin.com |
|||
| access-date=2021-05-12}}</ref> |
|||
== See also == |
|||
* [[Flooding (computer networking)]] |
|||
==Notes== |
|||
{{Notelist}} |
|||
==References== |
|||
{{Reflist}} |
|||
== External links == |
|||
* {{cite IETF |RFC=2827 |title=Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing}} |
|||
* {{cite IETF |RFC=3704 |title=Ingress Filtering for Multihomed Networks}} |
|||
[[Category:Routing]] |
|||
Latest revision as of 02:30, 23 October 2024
 | This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. (May 2019) |
Reverse-path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing.[1]
In standard unicast IP routing, the router forwards the packet away from the source to make progress along the distribution tree and prevent routing loops. In contrast, the router's multicast forwarding state runs more logically by organizing tables based on the reverse path, from the receiver back to the root of the distribution tree at the source of the multicast. This approach is known as reverse-path forwarding.
Multicast RPF
[edit]Multicast RPF, typically denoted simply as RPF, is used in conjunction with a multicast routing protocol such as Multicast Source Discovery Protocol or Protocol Independent Multicast to ensure loop-free forwarding of multicast packets. In multicast routing, the decision to forward traffic is based upon source address and not on destination address as in unicast routing. It does this by utilizing either a dedicated multicast routing table or, alternatively, the router's unicast routing table.
When a multicast packet enters a router's interface, the router looks up the list of networks that are reachable via that interface (i.e., it checks the paths by which the packet could have arrived). If the router finds a matching routing entry for the source IP address of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in that multicast group. If the RPF check fails, the packet is dropped. As a result, the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. By only forwarding packets that come into the interface that also holds the routing entry for the source of the packet, loops are prevented.
This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking is integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a routing loop where packets will be forwarded in both directions until their IP TTLs expire. Routing loops are best avoided as they unnecessarily consume network resources.
The underlying assumptions of an RPF check are that,
- the unicast routing table is correct and stable and,
- the path used from a sender to a router and the reverse path from the router back to the sender are symmetric.
If the first assumption is false, the RPF check will fail because it depends upon the router's unicast routing table as a fallback. If the second assumption is false, the RPF check would reject multicast traffic on all but the shortest path from the sender to the router which would lead to a non-optimal multicast tree. In cases where the links are unidirectional, the reverse-path approach can fail altogether.
Unicast RPF
[edit]Unicast RPF (uRPF), as defined in RFC 3704, is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which it should never have originated. The original idea as seen in RFC 2827 was to block traffic on an interface if it is sourced from forged IP addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the Internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in DoS, DDoS, and network scanning to obfuscate the source of the scan.[2]
uRPF extends this idea by utilizing the knowledge all routers must have in their routing information base (RIB) or forwarding information base (FIB) to do their primary job, to help further restrict the possible source addresses that should be seen on an interface. Packets are only forwarded if they come from a router's best route to the source of a packet. Packets coming into an interface come from valid subnetworks, as indicated by the corresponding entry in the routing table are forwarded. Packets with source addresses that could not be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.
In cases of symmetric routing, routing where packets flow both directions through the same path, and terminal networks connected via a single link, this is a safe assumption and uRPF can be implemented without many anticipated problems. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using bandwidth or reaching a router that is not configured for RPF and thus inappropriately forwarded.
Unfortunately, it is often the case on the larger Internet backbone that routing is asymmetric and the routing tables cannot be relied upon to point to the best route for a source to get to a router. Routing tables specify the best forward path and only in the symmetric case does that equate to the best reverse path. It is important when implementing uRPF to be aware of the potential for asymmetry to prevent accidental filtering of legitimate traffic.
RFC 3704 gives more details on how to extend strict reverse-path forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.
Strict mode
[edit]In strict mode, each incoming packet is tested against the FIB and, if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.[a]
Feasible mode
[edit]In feasible mode, the FIB maintains alternate routes to a given IP address. If the incoming interface matches with any of the routes associated with the IP address, then the packet is forwarded. Otherwise, the packet is dropped.
Loose mode
[edit]In loose mode each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via any interface on that router.[a]
Filtering vs. forwarding
[edit]RPF is often interpreted as reverse-path filtering, particularly when it comes to unicast routing. This is an understandable alternate interpretation of the acronym in that when RPF is used with unicast routing as in RFC 3704, traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered. While uRPF is used as an ingress filtering mechanism, it is affected by reverse-path forwarding.
Reverse path filters are typically used to disable asymmetric routing where an IP application has a different incoming and outgoing routing path. Its intent is to prevent a packet entering one interface from leaving via the other interfaces. Reverse-path Filtering is a feature of the Linux Kernel.[3]
See also
[edit]Notes
[edit]References
[edit]- ^ "Reverse Path Forwarding". Juniper Networks. 2010. Retrieved 2021-05-12.
- ^ "Understanding Unicast Reverse Path Forwarding". Cisco Systems. Retrieved 2021-05-12.
- ^ "rp_filter and LPIC-3 Linux Security". theurbanpenguin.com. 2020-08-27. Retrieved 2021-05-12.