Abstract
Systems and methods are disclosed for achieving dynamic Unicast Reverse Path Forwarding (uRPF) with route scale optimizations in an IP routing device, in which ingress traffic is sampled and analyzed to detect conditions indicative of source address spoofing or related attacks, and upon detecting such a condition, a control plane automatically enables uRPF at a selected scope including globally, per virtual routing and forwarding instance (VRF), and/or per interface, and subsequently disables uRPF once the attack condition subsides for at least a configured inactivity interval. Because enabling uRPF can reduce the maximum number of routes installable in a hardware forwarding information base (FIB), the disclosure further provides a backup forwarding database that preserves routes displaced from the hardware FIB during uRPF enforcement, maintains coordination with the hardware FIB while uRPF is enabled, and enables deterministic synchronization of displaced routes back into hardware when uRPF is disabled without requiring routing reconvergence or external reprogramming. Route updates received during uRPF enforcement may be handled according to one of multiple policies, including rejecting updates, applying updates only to the backup database, or updating both the hardware FIB and backup database with controlled backfill, thereby enabling automated spoofing mitigation while maintaining forwarding scalability and predictable restoration of full route capacity.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Anonymous, "Achieving Dynamic uRPF with Route Scale Optimizations", Technical Disclosure Commons, (February 03, 2026)
https://www.tdcommons.org/dpubs_series/9273