This Bridge is the Root

View Original

IPv6 Unicast Reverse Path Forwarding Check

Those that are familiar with multicast routing will be familiar with the concept of a reverse path forwarding check. In multicast, the router performs a lookup in the unicast routing table for the source address of the packet received and verify that the outgoing interface in the routing table matches the ingress port of the packet. This simple check verifies that there are no loops with multicast traffic.

We can also apply this same logic to IPv4 and IPv6 unicast traffic. The following command is applied to routed interfaces.

ipv6 verify unicast source reachable-via rx allow-default

While this command is quite long, there’s only a couple of options that we need to be aware of. The first option is to determine whether we wanted to broadly verify that there’s a route for that source destination in the routing table or to strictly check that the packet is coming in on the correct interface. “Reachable-via any” will perform loose checking and “reachable-via rx” will perform strict address checking. In my opinion, it’s unlikely that you’re going to deploy this command with loose address checking enabled. The reachable-via any option may be necessary if you have asymmetrical routing in your network by design.

Additionally, there’s the "allow-default" keyword that enables the default-route to be used as a valid route for address verification. The allow-default option is only necessary on interfaces that would be the default-route outgoing interface but as a force of habit, I typically enable it on all interfaces to avoid a situation where I need it and accidentally didn’t enable it.

Lastly, we can exclude traffic from being dropped by adding an access-list to the end of the string. I've used this feature before to allow IP SLA traffic that was determining if a default route was up or not. Without the filter for the SLA traffic, return packets were dropped as there were no route in the routing table for them.

ipv6 access-list RPF_WHITELIST

permit ip 2001:db8:5::/64 any

interface GigabitEthernet1/0/1

ipv6 verify unicast source reachable-via rx allow-default RPF_WHITELIST

The Unicast Reverse Path Forwarding Check is an important feature to enable because it can block infected machines from generating spoofed traffic. I only wish network operators everywhere would implement this and we could drastically reduce the amount of DDOS botnet traffic on the internet. I personally consider this to be vital to any users network that I deploy and I think it should be part of any standard deployment.

You can reference this Cisco documentation for the feature here.