From 3ee44040c66cbe47ff292ac7fb0badccbe2afe6d Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Mon, 3 Oct 2016 13:05:48 +0100 Subject: unicast RPF for FIB2.0 In a heirarchical FIB performing a unicast RPF check would require the traversal of the data-plane graph to seek out all the adjacency objects and then read those to find their interface. This is not efficient. Instead, for each path-list we construct a list of unique input interfaces and link this uRPF-list against the entry in the prefix table. In the data-plane the uRPF list can be retrieved from the load-balance lookup result and the RPF check is a simple and efficient walk across the minimal interface list. The uRPF-list is maintained as the routing heirarchy changes, in a similar way to the data-plane object graph. We also provide a knob to allow an arbitrary prefix to pass the loose check. Change-Id: Ie7c0ae3c4483ef467cfd5b136ee0315ff98ec15b Signed-off-by: Neale Ranns --- vnet/etc/scripts/urpf | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 vnet/etc/scripts/urpf (limited to 'vnet/etc/scripts/urpf') diff --git a/vnet/etc/scripts/urpf b/vnet/etc/scripts/urpf new file mode 100644 index 00000000000..a4d875276ee --- /dev/null +++ b/vnet/etc/scripts/urpf @@ -0,0 +1,86 @@ + +create loop int + +set int state loop0 up +set int ip addr loop0 10.10.10.10/24 + +packet-generator new { + name transit-deny + limit 1 + node ip4-input + size 64-64 + no-recycle + data { + UDP: 1.2.3.4 -> 2.2.2.2 + UDP: 3000 -> 3001 + length 128 checksum 0 incrementing 1 + } +} + +packet-generator new { + name transit-allow + limit 1 + node ip4-input + size 64-64 + no-recycle + data { + UDP: 1.1.1.1 -> 2.2.2.2 + UDP: 3000 -> 3001 + length 128 checksum 0 incrementing 1 + } +} + +packet-generator new { + name transit-allow-from-excemption + limit 1 + node ip4-input + size 64-64 + no-recycle + data { + UDP: 11.11.12.13 -> 2.2.2.2 + UDP: 6000 -> 6001 + length 128 checksum 0 incrementing 1 + } +} + +packet-generator new { + name for-us-allow-from-excemption + limit 1 + node ip4-input + size 64-64 + no-recycle + data { + UDP: 11.11.12.13 -> 10.10.10.10 + UDP: 6000 -> 6001 + length 128 checksum 0 incrementing 1 + } +} + +packet-generator new { + name for-us-allow + limit 1 + node ip4-input + size 64-64 + no-recycle + data { + UDP: 1.1.1.1 -> 10.10.10.10 + UDP: 3000 -> 3001 + length 128 checksum 0 incrementing 1 + } +} + +tr add pg-input 100 + +set int ip addr pg0 10.10.11.10/24 + +set interface ip source-check pg0 strict + +ip route add 1.1.1.1/32 via 10.10.11.11 pg0 +ip route add 2.2.2.2/32 via 10.10.10.11 loop0 + +ip urpf-accept 11.11.0.0/16 + +#set interface ip source-check pg0 strict del +#set interface ip source-check pg0 loose + +#ip urpf-accept del 11.11.0.0/16 -- cgit 1.2.3-korg