Hi,
I am auditing the network and bit worried to configure the “ip verify reverse-path interface outside & ip verify reverse-path interface inside”, so thought to take further advice from experts.
My understanding of RPF is that suppose for incoming packet, if the packet is not part of the existing connection then RPF will check the source IP Address of the packet and consult routing table to find if the network to which the source IP address belongs is reachable or not, if that packet is reachable then packet will be allowed, otherwise it will be dropped.
Questions:
1) As RPF is heavily depends on routing table, in below sample routing table if we apply the “ip verify reverse-path interface outside” as per below routing table everything is allowed on OUTSIDE interface, so it’s not worth applying it.
If we apply it to the INSIDE then only the subnets with subnets 10.30.0.0, 10.40.0.0 will be allowed, so it worth applying the command “ip verify reverse-path interface inside”
2) Suppose if the spoofed IP Address 10.40.0.10 igress on OUTSIDE interface to egress on INSIDE network, as per below routing how the RPF will recognize that it’s a spoofed IP Address and drop it. I think that packet will pass the RPF checks.
3) RPF will only drop the packet on particular interface, if the source IP Address is not expected from the interface as per routing table. BUT if the packet is not in routing table, it will be dropped anyway, so what’s the purpose of RPF.
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.30.0.0 255.255.0.0 10.10.20.1 1
route inside 10.40.0.0 255.255.0.0 10.10.20.1 1
route outside 10.180.10.0 255.255.255.192 10.10.10.1 1
route outside 10.183.20.48 255.255.255.224 10.10.10.1 1
Thanks
