Configuring Unicast RPF on ACX Series Routers

IP spoofing can occur during a denial-of-service (DoS) attack. IP spoofing allows an intruder to pass IP packets to a destination as genuine traffic, when in fact the packets are not actually meant for the destination. This type of spoofing is harmful because it consumes the destination’s resources.

A unicast reverse-path-forwarding (RPF) check is a tool to reduce forwarding of IP packets that might be spoofing an address. A unicast RPF check performs a route table lookup on an IP packet’s source address, and checks the incoming interface. The router or switch determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the router or switch forwards the packet to the destination address. If it is not from a valid path, the router or switch discards the packet. Unicast RPF is supported for the IPv4 and IPv6 protocol families, as well as for the virtual private network (VPN) address family.

Note: If you want to configure unicast RPF, your router must be equipped with the Internet Processor II application-specific integrated circuit (ASIC). If you enable unicast RPF on live traffic, some packets are dropped while the packet forwarding components are updating. For transit packets exiting the router through the tunnel, forwarding path features, such as RPF, forwarding table filtering, source class usage, and destination class usage are not supported on the interfaces you configure as the output interface for tunnel traffic. For firewall filtering, you must allow the output tunnel packets through the firewall filter applied to input traffic on the interface that is the next-hop interface towards the tunnel destination.

Interworking of Unicast RFF With Different System Conditions

The following is the unicast RPF behaviour for different system configuration scenarios:

• Unicast RPF with default routes—unicast RPF check will not consider the default route for its reverse path checking. That means packet will be accepted only if at least route prefix is present in the routing table.(Loose Mode)
• Unicast RPF with filter-based forwarding—unicast RPF is applied in the Layer 3 lookup stage in which all the filters are already applied and the corresponding VRF is identified. So it always uses the route table with respect to the VRF it belongs to. The reverse path check fails even it has valid route in other VRF table also.
• Unicast RPF with virtual router or VRF—unicast RPF is applied in the Layer 3 lookup stage in which the corresponding VRF/VR is identified. So it always uses the route table with respect to the VRF or virtual router it belongs to. The reverse path check fails even it has a valid route in other VRF table.
• Unicast RPF with IP unnumbered case—unicast RPF is supported with IP unnumbered case also. In this case it uses the same properties of the referenced interface.
• Unicast RPF with IPV6—unicast RPF is performed for IPV6 global unicast and unique local address only. For the link local IPV6 address, unicast RPF is not performed.

Configuring Unicast RPF Strict Mode

In strict mode, unicast RPF checks whether the incoming packet has a source address that matches a prefix in the routing table, and whether the interface expects to receive a packet with this source address prefix.

If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface. When a packet is not accepted on an interface, unicast RPF counts the packet and sends it to an optional fail filter. If the fail filter is not configured, the default action is to silently discard the packet.

The optional fail filter allows you to apply a filter to packets that fail the unicast RPF check. You can define the fail filter to perform any filter operation, including accepting, rejecting, logging, sampling, or policing.

When unicast RPF is enabled on an interface, Bootstrap Protocol (BOOTP) packets and Dynamic Host Configuration Protocol (DHCP) packets are not accepted on the interface. To allow the interface to accept BOOTP packets and DHCP packets, you must apply a fail filter that accepts all packets with a source address of 0.0.0.0 and a destination address of 255.255.255.255.

For more information about unicast RPF, see the Junos OS Routing Protocols Library. For more information about defining fail filters, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

To configure unicast RPF, include the rpf-check statement:

Configuring Unicast RPF Loose Mode

By default, unicast RPF uses strict mode. Unicast RPF loose mode is similar to unicast RPF strict mode and has the same configuration restrictions. The only check in loose mode is whether the packet has a source address with a corresponding prefix in the routing table; loose mode does not check whether the interface expects to receive a packet with a specific source address prefix. If a corresponding prefix is not found, unicast RPF loose mode does not accept the packet. As in strict mode, loose mode counts the failed packet and optionally forwards it to a fail filter, which either accepts, rejects, logs, samples, or polices the packet.

To configure unicast RPF loose mode, include the mode:

Unicast RPF and Default Routes

When the active route cannot be chosen from the routes in a routing table, the router chooses a default route. A default route is equivalent to an IP address of 0.0.0.0/0. If you configure a default route, and you configure unicast RPF on an interface that the default route uses, unicast RPF behaves differently than it does otherwise. For information about configuring default routes, see the Junos OS Routing Protocols Library.

To determine whether the default route uses an interface, enter the show route command:

address is the next-hop address of the configured default route. The default route uses the interfaces shown in the output of the show route command.

The following sections describe how unicast RPF behaves when a default route uses an interface and when a default route does not use an interface:

• Unicast RPF Behavior with a Default Route
• Unicast RPF Behavior Without a Default Route

Unicast RPF Behavior with a Default Route

• Loose mode—All packets are automatically accepted. For this reason, we recommend that you not configure unicast RPF loose mode on interfaces that the default route uses.
• Strict mode—The packet is accepted when either of the following is true:
  • The source address of the packet matches any of the routes (either default or learned) that can be originated from the interface. Note that routes can have multiple destinations associated with them; therefore, if one of the destinations matches the incoming interface of the packet, the packet is accepted.
  • The source address of the packet does not match any of the routes.

• The source address of the packet does not match a prefix in the routing table.
• The interface does not expect to receive a packet with this source address prefix.

Unicast RPF Behavior Without a Default Route

• Strict mode—The packet is not accepted when either of the following is true:
  • The packet has a source address that does not match a prefix in the routing table.
  • The interface does not expect to receive a packet with this source address prefix.
• Loose mode—The packet is not accepted when the packet has a source address that does not match a prefix in the routing table.

Configuring Unicast RPF on a VPN

You can configure unicast RPF on a VPN interface by enabling unicast RPF on the interface and including the interface statement at the [edit routing-instances routing-instance-name] hierarchy level.

• For Layer 3 VPNs, unicast RPF is supported on the CE router interface.
• Unicast RPF is not supported on core-facing interfaces.
• For virtual-router routing instances, unicast RPF is supported on all interfaces you specify in the routing instance.
• If an input filter forwards packets anywhere other than the routing instance the input interface is configured for, the unicast RPF check is not performed.

For more information about VPNs and virtual-router routing instances, see the Junos OS VPNs Library for Routing Devices. For more information about FBF, see the Junos OS Routing Protocols Library.

Example: Configuring Unicast RPF on a VPN

Configure unicast RPF on a Layer 3 VPN interface:

Configuring Unicast RPF Fail Filter

Unicast RPF fail filter allows you to apply a filter to packets that fail the unicast RPF check. ACX Series routers supports configuring uRPF fail filter on interfaces. You can define the fail filter to perform any filter operation, including accepting, rejecting, logging, or policing.

For more information about unicast RPF, see the Junos OS Routing Protocols Library. For more information about defining fail filters, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

For information about configuring a firewall filters, see Guidelines for Configuring Firewall Filters.

To configure unicast RPF fail filter, include the fail-filter statement at the [edit interfaces interface-name unit logical-unit-number family (inet | inet6) rpf-check] hierarchy level.