summary

For traditional network forwarding devices , It mainly depends on the routing table , Forward as long as there is a route , If not, don't forward . It's OK to forward the message , The network forwarding device is unconditional full trust , And that leads to this IP The problem of deception , This is also a lot of Intranet IP Source of deception , Such as inside a local area network , You can use the flow manufacturing tool to make false flow on a host , The purpose of these traffic may be to disrupt the current network .

image IP-MAC The binding of can also prevent IP Deception and ARP cheating ,IP-MAC Binding technology is mainly artificially set IP-MAC The mapping relation of , So in the message forwarding or arp In the process of record learning, the mapping relationship will be checked , Only when the check is passed will it be forwarded . But whether it's URPF still IP-MAC The binding of , There is no doubt that it will reduce the forwarding speed of network devices .

The basic principle

URPF The basic principle of is also very simple , It is divided into strict mode and loose mode , The strict pattern is like this , If a message enters a network device , If the destination network can be found in the routing table, it is the source of the message IP The Internet , And its incoming interface corresponds to the interface specified in the routing table , Then you can forward . The loose mode is that as long as the destination network can be found, it is the source of the message IP Network then forward .

How to prevent

Why can this prevent IP cheating , First, when the attacker creates false traffic , False sources may be used IP Address , If it is a nonexistent host IP, So when such slaves exist IP The setting is reached URPF When using your network device , It will be discarded because there is no corresponding routing table entry . Then, if the attacker impersonates the existing host of the intranet to send traffic , Then there is no doubt that it will be discarded .

shortcoming

Now there is a drawback , If the attacker controls a host in the intranet , And the network segment of this host is 192.168.0.0, So as long as the attacker knows this principle , Then you can fake it C All hosts of class network IP Send false traffic . If the network segment is larger , such as B Class private network address , Then there are more that can be counterfeited . So URPF It can really reduce IP cheating , But if you know the principle , It's not a matter of minutes to want to fake .