 |
Note: Reverse-path forwarding is not supported on the interfaces you configure as tunnel sources. This affects only the transit packets exiting the tunnel. |
IP spoofing can occur during a denial-of-service (DoS) attack. IP spoofing allows an intruder to pass IP packets to a destination as genuine traffic, when in fact the packets are not actually meant for the destination. This type of spoofing is harmful because it consumes the destination’s resources.
Unicast reverse-path-forwarding (RPF) check is a tool to reduce forwarding of IP packets that may be spoofing an address. A unicast RPF check performs a route table lookup on an IP packet’s source address, and checks the incoming interface. The router determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the router forwards the packet to the destination address. If it is not from a valid path, the router discards the packet. Unicast RPF is supported for the IPv4 and IPv6 protocol families, as well as for the virtual private network (VPN) address family.
To control the operation of unicast RPF check, include the unicast-reverse-path statement:
-
unicast-reverse-path (active-paths | feasible-paths);
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
To consider only active paths during the unicast RPF check, include the active-paths option. To consider all feasible paths during the unicast RPF check, include the feasible-paths option.
|
Note: Reverse-path forwarding is not supported on the interfaces you configure as tunnel sources. This affects only the transit packets exiting the tunnel. |
You must enable unicast RPF check on an interface. To do so, include the rpf-check statement:
- rpf-check <fail-filter filter-name>;
You can include this statement at the following hierarchy levels:
For more information about configuring unicast RPF on an interface, see the JUNOS Network Interfaces Configuration Guide.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |