A number of common types of DoS attacks take advantage of forged or rapidly changing source IP addresses, allowing attackers
to thwart efforts by ISPs to locate or filter these attacks. Unicast RPF was originally created to help mitigate such attacks
by providing an automated, scalable mechanism to implement the Internet Engineering Task Force (IETF) Best Common Practices
38/Request for Comments 2827 (BCP 38/RFC 2827) anti-spoofing filtering on the customer-to-ISP network edge. By taking advantage
of the information stored in the Forwarding Information Base (FIB) that is created by the CEF switching process, Unicast RPF
can determine whether IP packets are spoofed or malformed by matching the IP source address and ingress interface against
the FIB entry that reaches “back” to this source (a so-called “reverse lookup”). Packets that are received from one of the
best reverse path routes back out of the same interface are forwarded as normal. If there is no reverse path route on the
same interface from which the packet was received, it might mean that the source address was modified, and the packet is dropped
(by default).
This original implementation of Unicast RPF, known as “strict mode,” required a match between the ingress interface and the
reverse path FIB entry. With Unicast RPF, all equal-cost “best” return paths are considered valid, meaning that it works for
cases in which multiple return paths exist, provided that each path is equal in routing cost to the others (number of hops,
weights, and so on), and as long as the route is in the FIB. Unicast RPF also functions when Enhanced Interior Gateway Routing
Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist. The strict mode
works well for customer-to-ISP network edge configurations that have symmetrical flows (including some multihomed configurations
in which symmetrical flows can be enforced).
However, some customer-to-ISP network edges and nearly all ISP-to-ISP network edges use multihomed configurations in which
routing asymmetry is typical. When traffic flows are asymmetrical, that is, those in which traffic from Network A to Network
B would normally take a different path from traffic flowing from Network B to Network A, the Unicast RPF check will always
fail the strict mode test. Because this type of asymmetric routing is common among ISPs and in the Internet core, the original
implementation of Unicast RPF was not available for use by ISPs on their core routers and ISP-to-ISP links.
Over time and with an increase in DDoS attacks on the Internet, the functionality of Unicast RPF was reviewed as a tool that
ISPs can use on the ISP-to-ISP network edge (an ISP router “peered” with another ISP router) to enable dynamic BGP, triggered
null route. To provide this functionality, however, the mechanisms used with Unicast RPF had to be modified to permit its
deployment on the ISP-to-ISP network edge so that asymmetrical routing is not an issue.