Unicast RPF Check Mode for Optimal Protection

C.

Unicast Reverse Path Forwarding (uRPF) is a mechanism used by network devices to validate the path of incoming packets against the routing table to prevent spoofed or malicious traffic from entering the network. It is commonly used as a security measure in service provider networks to prevent distributed denial of service (DDoS) attacks.

The operator is concerned about DDoS attacks at the network border, which is the point where the network connects to the outside world. The network is currently using a default route to forward all traffic to the outside world. To provide optimal protection against DDoS attacks, the operator needs to apply a uRPF check mode at the border.

There are three modes of uRPF: loose mode, strict mode, and VRF mode. Each mode has its own advantages and limitations, and the operator needs to choose the appropriate mode based on the network's requirements.

Loose mode allows packets to be forwarded if the source IP address is reachable via any interface. This mode is less restrictive than strict mode and is suitable for networks with asymmetric routing or multiple paths to the same destination. However, loose mode is vulnerable to spoofed packets that use a valid source IP address that is not reachable via the expected interface.

Strict mode checks that the source IP address of the packet is reachable via the interface that the packet was received on. This mode provides better security than loose mode but can cause problems in networks with asymmetric routing or multiple paths to the same destination. If a valid packet arrives on a different interface, it will be dropped.

VRF mode is used in networks with multiple virtual routing and forwarding (VRF) instances. It allows each VRF to have its own uRPF configuration and is useful in multi-tenant environments.

Option A: Loose mode with allow-self-ping allows packets with the source IP address of the interface of the receiving device to be forwarded even if the source IP address is not reachable via that interface. This mode is less secure than strict mode and can be vulnerable to spoofed packets.

Option B: Loose mode allows packets to be forwarded if the source IP address is reachable via any interface. This mode is less restrictive than strict mode and is suitable for networks with asymmetric routing or multiple paths to the same destination. However, loose mode is vulnerable to spoofed packets that use a valid source IP address that is not reachable via the expected interface.

Option C: Strict mode with allow-default option allows packets to be forwarded if the source IP address is reachable via the interface that the packet was received on, and the packet is destined for the default route. This mode provides better security than loose mode but can cause problems in networks with asymmetric routing or multiple paths to the same destination.

Option D: Strict mode checks that the source IP address of the packet is reachable via the interface that the packet was received on. This mode provides better security than loose mode but can cause problems in networks with asymmetric routing or multiple paths to the same destination. If a valid packet arrives on a different interface, it will be dropped.

Option E: Strict mode with allow-self-ping allows packets with the source IP address of the interface of the receiving device to be forwarded even if the source IP address is not reachable via that interface. This mode is less secure than strict mode and can be vulnerable to spoofed packets.

Based on the above explanations, option D (strict mode) is the most secure and appropriate mode for the network border. It ensures that packets are forwarded only if the source IP address is reachable via the interface that the packet was received on. This mode provides optimal protection against DDoS attacks at the network border, but it can cause problems in networks with asymmetric routing or multiple paths to the same destination.