IPv6 URPF Process Overview

IPv6 URPFUnicast Reverse Path Forwarding, unicast Reverse Path Forwarding) is an IPv6 unicast packet detection and judgment technology used to prevent Network Attacks Based on source address spoofing.

IPv6 URPF is used in an IPv6 network. by obtaining the IPv6 address and the inbound interface of the IPv6 packet received by the switch, the source IPv6 address is used as the destination address to find the route in the routing table. If the router output interface does not match the inbound interface for receiving the message, the switch assumes that the IPv6 source address of the message is disguised and discards the message. With the increasing demand for IPv6, URPF Supporting IPv6 will have a good application prospect in future security applications.

The vswitch receives an IPv6 unicast packet. by obtaining the source IPv6 address and the inbound interface of the packet, the vswitch searches for the route in the routing table with the source IPv6 address as the destination address, if the router output interface does not match the inbound interface for receiving the message, the switch assumes that the source address of the message is disguised and discards the message. Using the software method to implement URPF is less efficient. We need to implement the data packet filtering mechanism on the hardware. Enable the URPF function through software and implement it through hardware.

By traversing the unicast route table and monitoring the changes in the unicast route table, IPv6 URPF finds that the source address of IPv6 data is the same as one or more IPv6 CIDR blocks A = {A | X: x/m1, X1: X1: X1: X1/m2 ,...} According to the relationship definition rules to filter IPv6 packets. This ing is called the IPv6 URPF ing. That is, if the destination address is P in route table A, the URPF function is to allow only IPv6 packets with the source IPv6 address A to access port P, otherwise, all route protocol packets are discarded ).

As shown in, the IPv6 URPF ing relationship of the interface vlan1 is as follows: The Source Address 2001: 1 and 2002: 2, the IPv6 packet enters from the vlan1 interface, matches with the route table, and forwards the packet. The source address of the packet from vlan2 is 2001: 3, which does not match the route table and discards the packet.