Sunday, April 1, 2018

URPF






Packets coming in to R2 FastEthernet0/0 that are not in R2's routing table will be dropped.



R2#sho run int fastEthernet 0/0
Building configuration...

Current configuration : 128 bytes
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip verify unicast source reachable-via rx 150
 duplex half
end



And strict mode says not only do they have to be sourced from an IP address that is in the routing table of R2, they also have to be reachable out that specific interface.


An access-list can be used to permit some source IP's that are not in the routing table.




R2#show ip route | begin Gateway
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 12.1.1.1, 00:40:53, FastEthernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
C        2.2.2.2 is directly connected, Loopback0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/2] via 23.1.1.3, 00:39:56, FastEthernet1/0
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.1.1.0/24 is directly connected, FastEthernet0/0
L        12.1.1.2/32 is directly connected, FastEthernet0/0
      23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        23.1.1.0/24 is directly connected, FastEthernet1/0
L        23.1.1.2/32 is directly connected, FastEthernet1/0



R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3
    30 deny ip host 111.111.111.111 host 3.3.3.3
    40 deny ip any any log



     1.1.1.1 is in the routing table of R2 so he will not be subjected to any check

     11.11.11.11 is not in the routing table of R2 so he will be checked and permitted

     111.111.111.111 is not in the routing table of R2 so he will be checked and denied

     Anybody else who tries to sneak in will be checked, denied, and logged.




Let's ping from 1.1.1.1

R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/64 ms



R3 has a route back to 1.1.1.1 so he sends the reply.


R3#sho ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "ospf 1", distance 110, metric 3, type intra area
  Last update from 23.1.1.2 on FastEthernet0/0, 00:23:15 ago
  Routing Descriptor Blocks:
  * 23.1.1.2, from 1.1.1.1, 00:23:15 ago, via FastEthernet0/0
      Route metric is 3, traffic share count is 1



R2 access-list shows no match because 1.1.1.1 is in the routing table of R2 so 1.1.1.1 did not have to go through the acl.


R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3
    30 deny ip host 111.111.111.111 host 3.3.3.3
    40 deny ip any any log





Let's ping from 11.11.11.11

R1#ping 3.3.3.3 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)


Whey did the ping fail?

11.11.11.11 should be permitted by the acl on R2.

Let's check R3.


R3 saw the packet come in.


R3#
*Apr  1 22:43:22.335: ICMP: echo reply sent, src 3.3.3.3, dst 11.11.11.11, topology BASE, dscp 0 topoid 0
R3#




R3 has no route back to 11.11.11.11 so he does not send any reply.


R3#show ip route 11.11.11.11
% Network not in table



On R2 we see the matches this time because 11.11.11.11 is not in the routing table of R2 therefore he is subject to the check by the access-list.



R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)
    30 deny ip host 111.111.111.111 host 3.3.3.3
    40 deny ip any any log



11.11.11.11 was permitted through by R2.

The reason the ping failed was because R3 had no route back to the source.




Let's ping from 111.111.111.111


R1#ping 3.3.3.3 source 111.111.111.111
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 111.111.111.111
.....
Success rate is 0 percent (0/5)


This ping also fails.

But this time it failed because it was denied by R2.

R3 did  not see any packet come in from 111.111.111.111.

R3#show debugging
Generic IP:
  ICMP packet debugging is on



R3#
R3#
R3#
R3#
R3#


Because it was denied by the URPF acl on R2.

R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)
    30 deny ip host 111.111.111.111 host 3.3.3.3 (5 matches)
    40 deny ip any any log







Now what if somebody else tries to get thorugh?


R1#ping 3.3.3.3 source 192.168.34.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.34.7
.....
Success rate is 0 percent (0/5)


He is denied and logged by the last line of the acl on R2.


R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)
    30 deny ip host 111.111.111.111 host 3.3.3.3 (5 matches)
    40 deny ip any any log (5 matches)


R2#
*Apr  1 22:48:56.203: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.34.7 -> 3.3.3.3 (0/0), 1 packet
R2#








Posted by at