VPN Reverse Route Injection (RRI) Denial of Service

slewe · ‎01-25-2005

Does anyone know if its possible to limit what routes get injected by RRI? I want to prevent customers from injecting routes that are the same as internal network where my authenticaion and log servers live.

Right now, a network that is behind a remote 3002 vpn end point gets injected into my vpn router routing table. If they changed their private interface of the 3002 to something on my network, it gets added to my vpn router as a static route. The RRI route takes precedence to static routes that I add on my vpn router.

Has anyone encountered this?

Thanks

ehirsel · ‎01-26-2005

If the vpn router is running IOS, you can use distribute-lists within the routing protocol configuration to limit what you receive into the route table as well as what you advertise out. In your case you are only interested using the "distribute-list in" command. Note with OSPF the routes will still appear in the ospf database, but they will not appear in the routing table.

What type of device is the vpn router? What metric is the static routes that are being overriden by RRI?

Let me know if this helps.

slewe · ‎01-27-2005

I am using a 7206 with vpn service module. The metric of the static route that gets overridden is 1. The RRI by the 3002 client is happening before any route distribution so I dont think the distribution list will help. Basically, I will lose connectivity to my internal server because the vpn sends the traffic back out the tunnel to the 3002 peer.