Solved: Re: ip verify unicast source reachable-via rx

lcaruso · ‎07-30-2011

Hi,

I tried using this command on the outside interface of my 887VA dsl interface and it stopped all traffic until I removed it.

interface ATM0.1 point-to-point

ip address a.b.c.d 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip verify unicast source reachable-via rx

atm route-bridged ip

pvc 0/35

encapsulation aal5snap

Is there a way to implement anti-spoofing on this interface or a way to use this command so it works?

Thanks.

Peter Paluch · ‎07-30-2011

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎07-30-2011

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

lcaruso · ‎07-30-2011

Thanks much! That that did it.

Peter Paluch · ‎07-30-2011

Hello,

I am glad to have helped!

Best regards,

Peter

Leo Gal · ‎05-17-2018

Hi Peter

I would like to ask one more additional question to this topic please.

Does

ip verify unicast source reachable-via rx

have any impact if used with allow-default option? (presuming that DG is pointing to the interface)

Cause from my pov it will allow everything that comes in from

the interface to which the DG is pointing.

So removing the command ip verify source unicast reachable-via rx allow-default

will basically do the same as having it there => allow all the traffic.

Can you please help understand?

Thank you

LG

e.ciollaro · ‎05-17-2018

Hi
configuring uRPF in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

e.ciollaro · ‎05-17-2018

Sorry I had some problem with browser and the post appears three time :-(

Leo Gal · ‎05-18-2018

that happens, no problem.

Just for confirmation

if I use

ip verify source unicast reachable-via rx

on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.

(which is not feasible, unless the router learns the whole inet table)

If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets

everything in except the sources you mentioned.

Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?

If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?

Thanks for your time!

LG

e.ciollaro · ‎05-18-2018

Hi,

"if I use
ip verify source unicast reachable-via rx
on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.
(which is not feasible, unless the router learns the whole inet table)"

Correct

"If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets everything in except the sources you mentioned. "

Yes if, of course, the default route point the intX. Note that packets with source ip address 10.x.x.x or 192.168.x.x are dropped unless, for some reason, you have a route for that network using itfX

"Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?"

Yes

"If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?"

Yes this is the so called loos mode but I think it's not a good idea.

Finally consider that you can configure "exceptions" using an ACL:

ip verify unicast source reachable-via rx allow-default <acl>

This way traffic that would be dropped is forwarded if match a permit clause in the ACL

"If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF. " http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#wp1745281618

Bye,

e

Leo Gal · ‎05-18-2018

Fantastic!!!!

thank you very much.

Best regards

Leo

e.ciollaro · ‎05-18-2018

you're welcome :-)

enrico

randreetta · ‎07-01-2021

... exactly, it's like not having configured anything at all. So why configuring it ? It looks like nobody answered your question, because nobody understood it.

paul driver · ‎07-01-2021

Hello @randreetta
You wouldn’t apply strict mode and allow default on a single rtr with a single wan interface but you could append strict mode only to a lan interface of the same rtr and maybe loose mode with allow-default on asymmetric links, (meaning traffic egress one path and ingress via an alternative path)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

e.ciollaro · ‎05-17-2018

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

e.ciollaro · ‎05-17-2018

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the following class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful