11-12-2019 02:57 AM
Hi
Can anyone explain why is this route installed in ipv6 RIB?
L FF00::/8 [0/0] via Null0, receive
Thanks
Siva
Solved! Go to Solution.
11-20-2019 02:54 AM - edited 11-20-2019 03:14 AM
Hello Siva,
let's make some background history: security practices recommends to block packets coming from internet with so called bogus networks as source addresses.
let us think in IPv4 unicast.
networks like:
0.0.0.0/x wit x <> 0 and x <> 32
private IP addresses per RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
127.0.0.0/8 ! loopback addresses used inside devices for communication between linecards
224.0.0.0 - 239.255.255.255.255 (multicast cannot be used as source IP address in IPv4)
your own public IP addresses should not be accepted from the internet because they can be the sign of an attack.
https://tools.ietf.org/html/rfc5735
there are automated tools that help to configure stateless input ACLs on border routers.
This is the scenario where uRPF has been introduced first for IPv4 unicast and later for IPv6 unicast.
Without allowing the default route 0.0.0.0/0 uRPF could be used by multihomed enterprises only if both edge routers are learning one or more full BGP tables and this would require routers like ASR 1000HX2 with 16GB / 32 GB of RAM and 64 bit processors that are quite expensive.
Allowing the use of the default route is called loose uRPF versus stric uRPF.
This is the sense of my previous post.
Hope to help
Giuseppe
11-12-2019 03:59 AM
This is to discard multicast.
HTH.
11-14-2019 12:07 AM
11-14-2019 12:58 AM
Hello Sivam,
I do agree, this router is not acting as an IPv6 multicast enabled router and as a result of this a "static" of FF00/8 to null0 is installed to silently drop all IPv6 multicast packets (including link local ipv6 multicast), the receive word is misleading bu comes from CEFv6 I suppose.
this can be used at the border between two enterprise that do not want to exchange IPv6 multicast traffic.
To be noted as IPv6 uses multicast natively and ICMPv6 and NDP are used instead of ARP the impact is huge.
Are you studying for the routing exam now ?
Hope to help
Giuseppe
11-19-2019 01:29 AM - edited 11-19-2019 02:29 AM
Hello @Giuseppe Larosa
Happy to have a conversation again with you! and yes I have been studying ROUTE for 2 months.
My question is if a router wants to prevent multicast traffic, having no route in the RIB is enough right?
why is it automatically installing that route? why don't we have simply no route?
Please help me to understand another question.
What is the use of configuring uRPF loose mode with the "allow-default" command on the internet edge?
As per my understanding "allow-default" command enables considering the default route also a valid CEF Entry to verify the source address of a packet. which means a packet with any source address will be allowed to enter on the interface right? what is the point of using uRPF here?
Thanks
Siva
11-19-2019 03:51 AM
Hello Siva,
>>>
What is the use of configuring uRPF loose mode with the "allow-default" command on the internet edge?
As per my understanding "allow-default" command enables considering the default route also a valid CEF Entry to verify the source address of a packet. which means a packet with any source address will be allowed to enter on the interface right? what is the point of using uRPF here?
>>>>>>>
Good question Siva, the typical use case is that of a multi homed BGP AS that does not want to receive BGP full tables that for IPv4 are in order of 770,000 routes or more (IPv6 has a built in mechanism that limits the public IP addresses to 8,800 blocks).
In order to support two full BGP tables you need at least an ASR-1000H2 with 16 GB RAM 64 bit processor IOS XE. and at leat two for redundancy.
if instead you have ethernet handoff and NAT is performed before the internet edge devices can be multilayer switches that are cheaper.
Hope to help
Giuseppe
11-20-2019 01:21 AM
Hello @Giuseppe Larosa
Thanks for the reply
Sorry for asking again the same question
I'm not good at enterprise edge architecture(good at BGP but not MPLS and higher technologies), I'm still learning it.
I still have the confusion about "ip verify unicast source reachable-via any allow-default"
uRPF is used to prevent packets with the source unknown to the CEF table, so if I use the above command which would eventually allow all source addresses isn't it?
you said It is useful on Multihomed connection, but I didn't get the point, please help me.
Thanks
Siva
11-20-2019 02:54 AM - edited 11-20-2019 03:14 AM
Hello Siva,
let's make some background history: security practices recommends to block packets coming from internet with so called bogus networks as source addresses.
let us think in IPv4 unicast.
networks like:
0.0.0.0/x wit x <> 0 and x <> 32
private IP addresses per RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
127.0.0.0/8 ! loopback addresses used inside devices for communication between linecards
224.0.0.0 - 239.255.255.255.255 (multicast cannot be used as source IP address in IPv4)
your own public IP addresses should not be accepted from the internet because they can be the sign of an attack.
https://tools.ietf.org/html/rfc5735
there are automated tools that help to configure stateless input ACLs on border routers.
This is the scenario where uRPF has been introduced first for IPv4 unicast and later for IPv6 unicast.
Without allowing the default route 0.0.0.0/0 uRPF could be used by multihomed enterprises only if both edge routers are learning one or more full BGP tables and this would require routers like ASR 1000HX2 with 16GB / 32 GB of RAM and 64 bit processors that are quite expensive.
Allowing the use of the default route is called loose uRPF versus stric uRPF.
This is the sense of my previous post.
Hope to help
Giuseppe
11-20-2019 05:17 AM
Hello @Giuseppe Larosa
Thanks for the reply
As you said, if we want to use uRPF on the internet edge without allowing default, we must install all the route BGP table. (I understood this)
From ROUTE Book
Strict mode: With strict mode operation, a router not only checks to make sure that
the source IP address of an arriving packet is reachable, based on the router’s FIB,
but the packet must also be arriving on the same interface the router would use to
send traffic back to that IP address.
Loose mode: With loose mode operation, a router only verifies that the source IP
address of a packet is reachable, based on the router’s FIB.
allow-default: Allows uRPF to use a default route if a network is not found in a router’s
FIB (Note: The allow-default option can be used with either strict or loose
mode.)
If you see the above diagram, They configured Loose mode while allowing default route ("IP verify unicast source reachable-via any allow-default" )
I believe there is no use of this command, isn't it?
Thanks
Siva
11-20-2019 05:57 AM
Hello Siva,
my understanding confirmed by the network diagram is that:
uRPF loose mode := ....................... allow_default.
This is confirmed also in Juniper JUNOS documentation just to make an example.
To be more exact a full BGP table is required with stric uRPF when multiple exit/entry points to the enterprise from the public internet are present either in a single edge device or on two or more.
If only one exit point is present strict uRPF can work fine even without a full BGP table.
Other reasons to use full BGP tables is to use Netflow for accounting and security purposes collecting data based on source AS number and destination AS number this is what I did in the past in my US patents on internet traffic analysis.
Hope to help
Giuseppe
11-20-2019 08:28 AM
Hello @Giuseppe Larosa
Thanks for your knowledgeable information
Could please have look at below cisco website, where they mentioned
strict mode: IP verify unicast source reachable-via rx
loose mode: IP verify unicast source reachable-via any
11-21-2019 12:12 AM
Hello Siva,
looking at the configuration guide would have been more focused for the thread:)
Rated as it deserves
Siva I am learning a lot from our conversations
Best Regards
Giuseppe
11-22-2019 01:43 AM
Hello @Giuseppe Larosa
That's really fun Giuseppe
I believe I should keep learning technology as long as I'm being in the industry.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: