All Cisco-Network Study Notes: Reverse-Path Forwarding

Reverse-Path Forwarding

The abstraction of reverse-path forwarding (RPF) is rarely accepted well,

although it is rather simple.The basal abstraction is to accept an all-encompassing acquisition table

and, for anniversary packet arrived, analysis its antecedent abode adjoin this table.This is why

it is alleged “reverse” lookup.When a avenue to this antecedent is begin (that is, when

there is a about-face aisle to the source), it is ensured that the packet has accustomed on

the aforementioned interface that is listed in the agnate avenue admission (so the packet

has accustomed on the best aisle aback to its origin). If the interface is correct, the

packet has accustomed from a absolute antecedent and is legitimate. If a about-face avenue is

not begin or the packet accustomed on a amiss interface, it is accepted that the

packet is spoofed, and it is discarded.

This affection is acclimated for implementing admission and departure clarification as specified

in RFC 2267. It is angry off by absence and can be enabled on a specific interface

using the afterward agreement command:

ip verify reverse-path interface

Ingress clarification is acclimated for blockage that alfresco hosts absolutely accept outside

addresses, but because the PIX firewall cannot advance the table of all possible

routes on the Internet, best configurations analysis that packets accession to the

outside interface from the Internet do not accept an “inside” antecedent address. Egress

www.syngress.com

Figure 4.12 TCP Intercept in PIX Versions 5.3 and Later

IBM Compatible IBM Compatible

SYN

SYN/ACK

ACK SYN

SYN/ACK

No packets are anesthetized to the central ACK

server until the three-way handshake is

complete.

After the PIX simulates the

handshake with the outside

client, it passes the connection

to the central server.

Advanced PIX Configurations • Chapter 4 195

filtering does absolutely the opposite: It checks that the packets activity to the

Internet absolutely accept centralized antecedent addresses.This clarification makes archetype any

packet aback to its agent abundant easier and prevents best bluffing attacks.

Although this can all be able application admission lists, the RPF affection provides

a abundant easier and added affected solution.

Let’s accede the afterward example:

PIX1(config)# ip abode central 192.168.1.254 255.255.0.0

PIX1(config)# avenue central 192.168.2.0 255.255.255.0 192.168.1.254 1

PIX1(config)# avenue central 192.168.3.0 255.255.255.0 192.168.1.254 1

PIX1(config)# ip abode alfresco 1.2.3.1 255.255.255.0 2

PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 1.2.3.127

PIX1(config)# ip verify reverse-path interface outside

PIX1(config)# ip verify reverse-path interface inside

Here, two networks—192.168.2.0/24 and 192.168.3.0/24—are affiliated to

the central interface, and agnate entries are created in the acquisition table.

The alfresco interface has a absence avenue to 1.2.3.127.The RPF affection is enabled

on both interfaces. Now, back a packet arrives from the arrangement absorbed to the

inside interface, its antecedent abode is arrested adjoin the acquisition table. If this

address belongs to one of the two networks 192.168.2.0/24 or 192.168.3.0/24,

the avenue lookup succeeds and the packet is accustomed to canyon through the firewall.

If the abode is not from any of these networks, no avenue will be found, and the

packet will be discarded.

If a packet arrives from the Internet to the alfresco interface, its antecedent is also

checked because RPF is alive on the alfresco interface. If this abode belongs to

one of the networks 192.168.2.0/24 or 192.168.3.0.24, avenue lookup succeeds,

but it is acclaimed that this packet has not accustomed on the best aisle to its origin. (The

best aisle goes through the central interface.) The packet is acutely a spoofed

one and it is dropped. In all added cases, the avenue lookup additionally succeeds because

there is a absence avenue on the alfresco interface and the packet is acceptable to

pass through.Thus ip verify reverse-path interface central provides departure filtering,

whereas ip verify reverse-path interface alfresco provides admission filtering.

If in this agreement we omit RPF analysis on the alfresco interface,

only departure clarification on the central interface will be performed, and spoofed

packets from the Internet will be accustomed to canyon through, admitting any spoofing

attempts by central hosts will be stopped. If RPF analysis is enabled alone on

the alfresco interface and routes to centralized networks are provided, alone ingress

routing will be performed; alfresco packets with antecedent IPs acceptance to internal

networks will be dropped.

www.syngress.com

196 Chapter 4 • Advanced PIX Configurations

NOTE

There are several limitations on application RPF verification. If there is no

default avenue on the alfresco interface, alone the networks mentioned in

the acquisition table are able to accelerate packets to the hosts abaft the firewall.

Also, do not about-face on RPF analysis afore acquisition is absolutely specified,

for the aforementioned reason. If your arrangement has agee routing, RPF

verification will not assignment correctly.

RPF-related statistics can be beheld with the afterward command:

pix(config)# appearance ip verify statistics

interface outside: 5 unicast rpf drops

interface inside: 2 unicast rpf drops

Counters actuality appearance the cardinal of packets alone by unicast RPF.The

number of RPF drops can additionally be apparent in appearance interface results:

pix(config)# appearance interface

interface ethernet0 "outside" is up, band agreement is up

Hardware is i82559 ethernet, abode is 00aa.0000.003b

IP abode 1.2.3.4, subnet affectation 255.255.255.224

MTU 1500 bytes, BW 100000 Kbit bisected duplex

1183242 packets input, 1222000001 bytes, 0 no buffer

Received 210 broadcasts, 23 runts, 0 giants

4 ascribe errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort

1311231 packets output, 565432270 bytes, 0 underruns, 0 unicast rpf drops

0 achievement errors, 12332 collisions, 0 interface resets

0 babbles, 0 backward collisions, 12342 deferred

0 absent carrier, 0 no carrier

input chain (curr/max blocks): accouterments (128/128) software (0/1)

output chain (curr/max blocks): accouterments (0/2) software (0/1)

Line 8 of this achievement contains a bulletin “0 unicast rpf drops”; this means

there were no drops on this interface.

Not all packets are arrested with RPF.What absolutely happens is:

ICMP packets are all arrested because there is no affair accompaniment for these

types of communication.

Advanced PIX Configurations • Chapter 4 197

TCP and UDP communications accept affair advice maintained by

PIX, so alone an antecedent packet is arrested adjoin the acquisition table. All

subsequent packets are arrested alone for the interface they accustomed on.

This interface should be the interface on which an antecedent packet arrived.

The afterward commands annul ip verify commands from the configuration

and bright packet counts, respectively:

clear ip verify reverse-path

clear ip verify statistics