cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2543
Views
30
Helpful
12
Replies

Ipv6 route

sivam siva
Level 3
Level 3

Hi 

Can anyone explain why is this route installed in ipv6 RIB?

L  FF00::/8 [0/0]   via Null0, receive

 

Thanks

Siva

1 Accepted Solution

Accepted Solutions

Hello Siva,

let's make some background history: security practices  recommends to block packets coming from internet with so called bogus networks as source addresses.

let us think in IPv4 unicast.

networks like:

0.0.0.0/x wit x <> 0 and x <> 32

private IP addresses per RFC 1918  (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

127.0.0.0/8  ! loopback addresses used inside devices for communication between linecards

224.0.0.0 - 239.255.255.255.255   (multicast cannot be used as source IP address in IPv4)

your own public IP addresses should not be accepted from the internet because they can be the sign of an attack.

 

https://tools.ietf.org/html/rfc5735

there are automated tools that help to configure stateless input ACLs on border routers.

 

This is the scenario where uRPF has been introduced first for IPv4 unicast and later for IPv6 unicast.

 

Without allowing the default route 0.0.0.0/0 uRPF could be used by multihomed enterprises only if both edge routers are learning one or more full BGP tables and this would require routers like ASR 1000HX2 with 16GB / 32 GB of RAM and 64 bit processors that are quite expensive.

Allowing the use of the default route is called loose uRPF versus stric uRPF.

 

This is the sense of my previous post.

 

Hope to help

Giuseppe

 

View solution in original post

12 Replies 12

rais
Level 7
Level 7

This is to discard multicast.

HTH.

Hello @rais 

 

Could you give me a little brief explanation?

 

Thanks 

Siva

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sivam,

I do agree, this router is not acting as an IPv6 multicast enabled router and as a result of this a "static" of FF00/8 to null0 is installed to silently drop all IPv6 multicast packets (including link local ipv6 multicast),   the receive word is misleading bu comes from CEFv6 I suppose.

 

this can be used at the border between two enterprise that do not want to exchange IPv6 multicast traffic.

To be noted as IPv6 uses multicast natively and ICMPv6 and NDP are used instead of ARP the impact is huge.

 

Are you studying for the routing exam now ?

 

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa 

 

Happy to have a conversation again with you! and yes I have been studying ROUTE for 2 months.

My question is if a router wants to prevent multicast traffic, having no route in the RIB is enough right?

why is it automatically installing that route? why don't we have simply no route?

 

Please help me to understand another question.

What is the use of configuring uRPF loose mode with the "allow-default" command on the internet edge?

       

As per my understanding "allow-default" command enables considering the default route also a valid CEF Entry to verify the source address of a packet. which means a packet with any source address will be allowed to enter on the interface right? what is the point of using uRPF here? 

 

Thanks 

Siva

 

Hello Siva,

 

>>>

What is the use of configuring uRPF loose mode with the "allow-default" command on the internet edge?

       

As per my understanding "allow-default" command enables considering the default route also a valid CEF Entry to verify the source address of a packet. which means a packet with any source address will be allowed to enter on the interface right? what is the point of using uRPF here? 

>>>>>>>

Good question Siva, the typical use case is that of a multi homed BGP AS that does not want to receive BGP full tables that for IPv4 are in order of 770,000 routes or more (IPv6 has a built in mechanism that limits the public IP addresses to 8,800 blocks).

 

In order to support two full BGP tables you need at least an ASR-1000H2 with 16 GB RAM 64 bit processor IOS XE. and at leat two for redundancy.

if instead you have ethernet handoff and NAT is performed before the internet edge devices can be multilayer switches that are cheaper.

 

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa 

Thanks for the reply 

 

Sorry for asking again the same question

I'm not good at enterprise edge architecture(good at BGP but not MPLS and higher technologies), I'm still learning it.

I still have the confusion about "ip verify unicast source reachable-via any allow-default

uRPF is used to prevent packets with the source unknown to the CEF table, so if I use the above command which would eventually allow all source addresses isn't it?

you said It is useful on Multihomed connection, but I didn't get the point, please help me.

 

Thanks 

Siva

Hello Siva,

let's make some background history: security practices  recommends to block packets coming from internet with so called bogus networks as source addresses.

let us think in IPv4 unicast.

networks like:

0.0.0.0/x wit x <> 0 and x <> 32

private IP addresses per RFC 1918  (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

127.0.0.0/8  ! loopback addresses used inside devices for communication between linecards

224.0.0.0 - 239.255.255.255.255   (multicast cannot be used as source IP address in IPv4)

your own public IP addresses should not be accepted from the internet because they can be the sign of an attack.

 

https://tools.ietf.org/html/rfc5735

there are automated tools that help to configure stateless input ACLs on border routers.

 

This is the scenario where uRPF has been introduced first for IPv4 unicast and later for IPv6 unicast.

 

Without allowing the default route 0.0.0.0/0 uRPF could be used by multihomed enterprises only if both edge routers are learning one or more full BGP tables and this would require routers like ASR 1000HX2 with 16GB / 32 GB of RAM and 64 bit processors that are quite expensive.

Allowing the use of the default route is called loose uRPF versus stric uRPF.

 

This is the sense of my previous post.

 

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa 

Thanks for the reply

 

As you said, if we want to use uRPF on the internet edge without allowing default, we must install all the route BGP table. (I understood this)


From ROUTE Book 

Strict mode: With strict mode operation, a router not only checks to make sure that
the source IP address of an arriving packet is reachable, based on the router’s FIB,
but the packet must also be arriving on the same interface the router would use to
send traffic back to that IP address.

 

Loose mode: With loose mode operation, a router only verifies that the source IP
address of a packet is reachable, based on the router’s FIB.

 

allow-default: Allows uRPF to use a default route if a network is not found in a router’s
FIB (Note: The allow-default option can be used with either strict or loose
mode.)

uRPF.JPG

 


If you see the above diagram, They configured Loose mode while allowing default route ("IP verify unicast source reachable-via any allow-default" ) 

I believe there is no use of this command, isn't it?

 

Thanks 

Siva

Hello Siva,

 

my understanding confirmed by the network diagram is that:

 

uRPF loose mode := ....................... allow_default.

 

This is confirmed also in Juniper JUNOS documentation just to make an example.

 

To be more exact a full BGP table is required with stric uRPF when multiple exit/entry points to the enterprise from the public internet are present either in a single edge device or on two or more.

 

If only one exit point is present strict uRPF can work fine even without a full BGP table.

 

Other reasons to use full BGP tables is to use Netflow for accounting and security purposes collecting data based on source AS number and destination AS number this is what I did in the past in my  US patents on internet traffic analysis.

 

Hope to help

Giuseppe

Hello @Giuseppe Larosa 

Thanks for your knowledgeable information

 

Could please have look at below cisco website, where they mentioned 

strict mode: IP verify unicast source reachable-via rx

loose mode: IP verify unicast source reachable-via any 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/sec-data-urpf-xe-3s-book/sec-unicast-rpf-loose-mode.html#GUID-FFFA94D5-EEFB-4215-9EE1-DB37CD01C2CA

Hello Siva,

looking at the configuration guide would have been more focused for the thread:)

Rated as it deserves

Siva I am learning a lot from our conversations

Best Regards

Giuseppe

Hello @Giuseppe Larosa 

 

That's really fun Giuseppe

I believe I should keep learning technology as long as I'm being in the industry.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco