3.1.4 Set 'ip verify unicast source reachable-via'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).

Rationale:

Enabled uRPF helps mitigate IP spoofing by ensuring only packet source IP addresses only originate from expected interfaces. Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.

Solution

Configure uRPF.


hostname(config)#interface {interface_name}
hostname(config-if)#ip verify unicast source reachable-via rx

Impact:

Organizations should plan and implement enterprise security policies that protect the confidentiality, integrity, and availability of network devices. The 'unicast Reverse-Path Forwarding' (uRPF) feature dynamically uses the router table to either accept or drop packets when arriving on an interface.

Default Value:

Unicast RPF is disabled.



References:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-2ED313DB-3D3F-49D7-880A-047463632757

See Also

https://workbench.cisecurity.org/files/2585

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16), CSCv6|11

Plugin: Cisco

Control ID: 6843b89ea181336cb7c2ff1c0ea00a4913adff512cb3174a43f1a3f002bc9d07