Preventing Packet Spoofing with uRPF

Hi,

I have to say that I'm a bit disappointed with the quality of the workbook so far. A lot of questions are very generic which makes it hard to figure out what exactly the task is asking for. I don't understand the sample solution of this task because it does not do what was asked in this task.

  • Consider that R4's VLAN 146 link is an ISP connection providing Internet services.
    • Ensure that R4 does not accept packets with IP addresses of the internal subnets on its connection to the ISP.
    • Considering that there is another connection to the same ISP in the network, account for possible asymmetric routing issues on R4.
I assume that internal subnets are 150.1.0.0/16 and 155.1.0.0/16, correct?


This solution does not fullfil the first requirement. I could still fake an internal address on R6 (outside) for example and send traffic to R5 (internal).


Let's assume R6 wants to spoof R5's loopback0 interface which is in the internal network address range.



R6#sh run int lo1

Building configuration...


Current configuration : 65 bytes

!

interface Loopback1

 ip address 150.1.5.5 255.255.255.255

end


R6#ping 150.1.4.4 so lo1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:

Packet sent with a source address of 150.1.5.5 

.....

Success rate is 0 percent (0/5)



R5 receives the echo-reply packets as we can see from the debug ip icmp output:



R5#

ICMP: echo reply rcvd, src 150.1.4.4, dst 150.1.5.5, topology BASE, dscp 0 topoid 0



In my opinion this task requires a different topology with a clear separation of internal and external address space. Otherwise this task doesn't make a lot of sense.


Florian

Comments

Sign In or Register to comment.