DRAG DROP - Drag and drop the design characteristics from the left onto the correct network filter techniques on the right. Not all options are used. Select and Place:
After further research, I have changed my answers to the following based on the RFC3704
Ingress ACL - manual configuration
Strict RPF - dynamic filter
Feasible RPF - alternate routes
Loose RPF - filter Martian IP addresses "Loose RPF might fit well could be an ISP filtering
packets from its upstream providers, to get rid of packets with
"Martian" or other non-routed addresses."
https://www.rfc-editor.org/rfc/rfc3704#page-5
Ingress ACL - filter technique for martian IP.
Strict RPF - Prevent Spoofing Attacks when there are alternative route to a give IP address
Feasible RPF - Dynamic Filter.
Loose RPF - check existence of a route without regard to the incoming interface.
Sorry for typos - this is the correct order:
Ingress ACL - filter technique for martian IP.
Strict RPF - Dynamic Filter.
Feasible RPF - Prevent Spoofing Attacks when there are alternative route to a give IP address
Loose RPF - check existence of a route without regard to the incoming interface.
From the same RFC 3704 " The questionable benefit of Loose RPF is found in asymmetric routing situations: a packet is dropped if there is no route at all, such as to "Martian addresses" or addresses that are not currently routed, but is not dropped if a route exists."
Correct as shown - only loose checks for Martian addresses
https://datatracker.ietf.org/doc/rfc8704/
The new “loose check” enhancement removes the match requirement on the specific ingress interface, allowing uRPF to “loose”
check packets. This allows an ISP peering router with multiple links to multiple ISPs to check the source IP address of ingress packets to see if
they exist in the FIB. If they exist, then the packets are forwarded. If they do not exist in the FIB, then the packets fail and are dropped. This
increases resistance against DoS/DDoS attacks that use spoofed source addresses based on RFC1918, Martian, and unallocated IP addresses.*
https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf
https://www.ietf.org/rfc/rfc3704.txt#:~:text=Feasible%20Path%20Reverse%20Path%20Forwarding%20(Feasible%20RPF)%20is%20an%20extension,and%20are%20valid%20for%20consideration.
needs to be revisited
I agree. Here is my version:
Regardless of the uRPF mode the source IP are checked against FIB.
Ingress ACL – Manual Config
Strict RPF – dynamic filter
FP RPF – existence of a route without regard to the incoming interface
Loose RPF – block Martian IPs
Reverse Path Forwarding (RPF) as defined in RFC 3704 specifies 3 modes: 'strict' (drop traffic if the ingress interface does not have the best egress route to the source), 'feasible' (drop traffic if the ingress interface has no egress route to the source), and 'loose' (drop traffic if the entire system has no egress route to the source).
Changed my Ingress ACL – Manual Config
Strict RPF – dynamic filter
FP RPF – alternative routes
Loose RPF – existence of a route without regard to the incoming interface
mind
Support your 2nd answer refer above IETF link.
ACL – Manual Config
Strict RPF – dynamic filter
FP RPF – alternative routes
Loose RPF – existence of a route without regard to the incoming interface
mind
Yes. This rfc is very clear to describe thiese four methods. Thank you.
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.400-007 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Samsain
Highly Voted 1 year, 10 months agobdp123
Highly Voted 1 year, 12 months agosandccie
Most Recent 2 months, 1 week agosandccie
2 months agoi9t6
6 months, 3 weeks agoi9t6
6 months, 3 weeks agobdp123
2 years agoArsenal16
2 years, 2 months agopizdecvsemu
2 years, 2 months agopizdecvsemu
2 years, 2 months agobiddid
2 years, 1 month agonifengfei
2 years ago