Firewalls - ip verify reverse-path

ip verify reverse-path

Implement Unicast RPF IP spoofing protection. (Configuration mode.)

[no] ip verify reverse-path interface int_name
show ip verify [reverse-path [interface int_name]]
clear ip verify
clear ip verify reverse-path interface int_name

Syntax Description

ip verify reverse-path interface Protects an individual interface against IP spoofing by enabling both ingress and egress filtering to verify addressing and route integrity. This command depends upon a default route previously defined in the configuration. See RFC 2267 for more information.

no ip verify reverse-path interface Disables ip verify reverse-path filtering for an individual interface from the configuration.

show ip verify Displays a list of the ip verify commands in the configuration, including ip verify reverse-path for all interfaces or one interface.

clear ip verify Removes ip verify commands from the configuration.

clear ip verify reverse-path interface Removes ip verify reverse-path commands for an individual interface from the configuration.

int_name Name of an interface you want to protect from a DoS attack.

Usage Guidelines

The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (RPF) functionality for the firewall. The show ip verify command lists the ip verify commands in the configuration. The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.
Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookups, prevents such manipulation under certain circumstances.
The ip verify reverse-path command depends on the existence of a default route statement in the configuration for the outside interface that has 0.0.0.0 0.0.0.0 in the route command statement for the IP address and network mask.
The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity, and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, then it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.
Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside of the local domain because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing the origin of an attack much easier. When employed, egress filtering enforces what IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and are therefore easily traceable.
Unicast RPF is implemented as follows:

ICMP packets have no session so each packet is checked.
UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

Before using this command, add static route command statements for every network that can be accessed on the interfaces you wish to protect. Only enable this command if routing is fully specified. Otherwise, firewall will stop traffic on the interface you specify if routing is not in place.
Use the show interface command to view the number dropped packets, which appears in the "unicast rpf drops" counter.

Examples

The following example protects traffic between the inside and outside interfaces and provides route command statements for two networks 10.1.2.0 and 10.1.3.0 that connect to the inside interface via a hub:
ip address inside 10.1.1.1 255.255.0.0
route inside 10.1.2.0 255.255.0.0 10.1.1.1 1
route inside 10.1.3.0 255.255.0.0 10.1.1.1 1
ip verify reverse-path interface outside
ip verify reverse-path interface inside

The ip verify reverse-path interface outside command statement protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command statement protects the inside interface from network egress attacks from users on the internal network.

ip verify reverse-path interface	Protects an individual interface against IP spoofing by enabling both ingress and egress filtering to verify addressing and route integrity. This command depends upon a default route previously defined in the configuration. See RFC 2267 for more information.
no ip verify reverse-path interface	Disables ip verify reverse-path filtering for an individual interface from the configuration.
show ip verify	Displays a list of the ip verify commands in the configuration, including ip verify reverse-path for all interfaces or one interface.
clear ip verify	Removes ip verify commands from the configuration.
clear ip verify reverse-path interface	Removes ip verify reverse-path commands for an individual interface from the configuration.
int_name	Name of an interface you want to protect from a DoS attack.