DES-7200 Configuration Guide Chapter 6 URPF Configuration
6-2
according to the entry found in the forwarding table. URPF will look up the forwarding table
according to source address and receiving interface of the incoming message. If the source
address is not found in the forwarding table, then the message will be discarded; if the
outgoing interface specified in the forwarding table doesn't match with the receiving interface
of the message, then the message will also be discarded. Otherwise, the message will be
forwarded.
URPF can protect the network by intercepting source address spoofing attacks.
6.1.2 Characteristics of
URPF
6.1.2.1 Strict mode
Technical requirements of conventional URPF: URPF will look up the forwarding table
according to source address and receiving interface of the incoming message. If the source
address is not found in the forwarding table, then the message will be discarded; if the
outgoing interface specified in the forwarding table doesn't match with the receiving interface
of the message, then the message will also be discarded. This requires that the "receiving
interface of the message received must be the outgoing interface of the route reaching this
source address". We call such a URPF check mode as URPF strict mode.
Note
URPF strict mode is generally deployed on the point-to-point
interface, and the data streams from both directions need to pass
this point-to-point interface.
6.1.2.2 Loose mode
URPF strict mode has its limitations, and is particularly not applicable to the asymmetrical
routing environment and multi-homed network environment.
Due to the need of network flow control and routing policy, asymmetrical routing is a commonly
found network application. Fig 2 shows an example of asymmetrical routing. If G1/2 on R1
enables URPF strict mode and receives packets from the network segment of 192.168.20.0/24,
URPF check will indicate the interface of G1/1 and the message will not be able to pass URPF
check. The URPF strict mode will result in the loss of data streams.