uRPF Configuration on Juniper (MX,SRX,EX,QFX Series)

uRPF or Unicast Reverse Path Forwarding is a security feature/tool that help verifies reachability of source address in packets being forwarded. It can prevents malicious and spoofing attacks as it will perform forwarding table lookup on the source IP address.
– it as defined in RFC3704
– it follows RFC2827 for ingress filtering.
–  it relies on the CEF (Cisco Express Forwarding) or FIB table to perform lookups.
– preferably implemented at the network edge facing internet, customers and servers

Two modes

  1. Strict Mode(rx) – packet must be received on the interface that the router uses to forward the return packet. Two checks:
    –  if router has a matching entry for the source in the routing table
    – if the router uses same interface to reach the source as where it received this packet

Note: Need to very careful in implementing this as it may drop legitimate traffic, this normally occur when there’s asymmetric routing paths in the network.

Juniper OS:(EX,QFX Series):

For Juniper, the default is strict mode.

set interfaces <interface name> unit <unit number>  family inet rpf-check

or

rpf-check;

Sample Config:

darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check

Verification:

show interfaces <interface-name> detail
show interfaces <interface-name> extensive

 

Juniper OS:(MX Series):

set interfaces <interface name> unit <interface name> family inet rpf-check fail-filter <FILTER-NAME>
set interfaces <interface name> unit <interface name> family inet rpf-check mode strict

Or:

rpf-check {
    fail-filter filter-name;
     mode strict
     }

 

Sample Config:

darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then log
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then discard

darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check fail-filter MYFILTER
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check mode strict

Verification:

show interfaces <interface-name> detail
show interfaces <interface-name> extensive

 

2. Loose Mode(any) – source address should appear in the routing table. It can be use when there is asymmetric routing paths in the network. So basically it will only perform single check
–  if router has a matching entry for the source in the routing table

Juniper OS:(EX,QFX Series):

For Juniper, the default is strict mode.

set interfaces <interface name> unit <unit number>  family inet rpf-check mode loose

Or:

rpf-check {
    mode loose;

Sample Config:

darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check mode ?
Possible completions:
loose Reverse-path-forwarding loose mode
{master}[edit]
darwin@JUNIPER-re0# set interfaces et-0/0/3 unit 0 family inet rpf-check mode loose

Verification:

Juniper OS:(MX Series):

set interfaces <interface name> unit <interface name> family inet rpf-check fail-filter <FILTER-NAME>
set interfaces <interface name> unit <interface name> family inet rpf-check mode loose

Or:

rpf-check {
    fail-filter filter-name;
     mode loose
     }

 

Sample Config:

darwin@JUNIPER-re0> configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then log
darwin@JUNIPER-re0#set firewall family inet filter MYFILTER term 10 then discard

darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check fail-filter MYFILTER
darwin@JUNIPER-re0# set interfaces xe-0/0/0 unit 0 family inet rpf-check mode loose

Verification:

show interfaces <interface-name> detail
show interfaces <interface-name> extensive

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *