uRPF or Unicast Reverse Path Forwarding is a security feature/tool that help verifies reachability of source address in packets being forwarded. It can prevents malicious and spoofing attacks as it will perform forwarding table lookup on the source IP address.
– it as defined in RFC3704
– it follows RFC2827 for ingress filtering.
– it relies on the CEF (Cisco Express Forwarding) or FIB table to perform lookups.
– preferably implemented at the network edge facing internet, customers and servers
Two modes
- Strict Mode(rx) – packet must be received on the interface that the router uses to forward the return packet. Two checks:
– if router has a matching entry for the source in the routing table
– if the router uses same interface to reach the source as where it received this packet
Note: Need to very careful in implementing this as it may drop legitimate traffic, this normally occur when there’s asymmetric routing paths in the network.
Juniper OS:(EX,QFX Series):
For Juniper, the default is strict mode.
set interfaces <interface name> unit <unit number> family inet rpf-check
or
rpf-check;
Sample Config:
darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check
Verification:
show interfaces <interface-name> detail
show interfaces <interface-name> extensive
Juniper OS:(MX Series):
set interfaces <interface name> unit <interface name> family inet rpf-check fail-filter <FILTER-NAME>
set interfaces <interface name> unit <interface name> family inet rpf-check mode strict
Or:
rpf-check {
fail-filter filter-name;
mode strict
}
Sample Config:
darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then log
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then discard
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check fail-filter MYFILTER
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check mode strict
Verification:
show interfaces <interface-name> detail
show interfaces <interface-name> extensive
2. Loose Mode(any) – source address should appear in the routing table. It can be use when there is asymmetric routing paths in the network. So basically it will only perform single check
– if router has a matching entry for the source in the routing table
Juniper OS:(EX,QFX Series):
For Juniper, the default is strict mode.
set interfaces <interface name> unit <unit number> family inet rpf-check mode loose
Or:
rpf-check {
mode loose;
Sample Config:
darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check mode ?
Possible completions:
loose Reverse-path-forwarding loose mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check mode loose
Verification:
Juniper OS:(MX Series):
set interfaces <interface name> unit <interface name> family inet rpf-check fail-filter <FILTER-NAME>
set interfaces <interface name> unit <interface name> family inet rpf-check mode loose
Or:
rpf-check {
fail-filter filter-name;
mode loose
}
Sample Config:
darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then log
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then discard
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check fail-filter MYFILTER
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check mode loose
Verification:
show interfaces <interface-name> detail
show interfaces <interface-name> extensive
Be First to Comment