Scribd
Upload
26 views

Unicast Reverse Path Forwarding

The document discusses unicast reverse path forwarding (RPF) which is a tool to reduce IP spoofing. RPF performs a route table lookup on a packet's source address and checks the incoming interface to determine if the packet is from a valid path. It can operate in loose or strict mode and consider only active routes or all feasible routes when performing the check. A fail filter allows processing of packets that fail the RPF check.

Uploaded by

sathyamoorthy
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Unicast Reverse Path Forwarding

The document discusses unicast reverse path forwarding (RPF) which is a tool to reduce IP spoofing. RPF performs a route table lookup on a packet's source address and checks the incoming interface to determine if the packet is from a valid path. It can operate in loose or strict mode and consider only active routes or all feasible routes when performing the check. A fail filter allows processing of packets that fail the RPF check.

Uploaded by

sathyamoorthy
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Unicast Reverse Path Forwarding

IP Spoofing
• IP spoofing is a method of attempting to gain access by inserting a
false source address in the packet header

• This makes the packet appear as if it’s coming from a trusted


source
Router 1
Incoming Packet ge-0/0/1
Source IP = 10.1.1.6
ge-0/0/0

10.1.1.0/24
firewall {
filter SPOOF-PREVENTION {
term DROP-SPOOFED-LAN {
from {
Router 1 source-address 10.1.1.0/24;
ge-0/0/1 }
WAN
then {
ge-0/0/0 discard;
}
}
term ALLOW-OTHERS {
then {
10.1.1.0/24 accept;
}
}
}
}
Unicast Reverse Path Forwarding
• Unicast reverse-path-forwarding (RPF) check is a tool to reduce
forwarding of IP packets that may be spoofing an address

• It performs a route table lookup on an IP packet’s source address


and checks the incoming interface

• If the packet is from a valid path, the router forwards the packet to
the destination address. Otherwise the router discards the packet
Unicast Reverse Path Forwarding
• Loose mode – the incoming packet’s source address must be in the
route table

• Strict mode – the incoming packet must be received on the


interface that would be used to forward traffic to the source IP
address

• Strict mode is the default


R2

R1 R4

R3 Active Path

Feasible Path
Active vs Feasible Path
• By default, when Junos performs its RPF check, it considers only
the active routes to a given destination

• In networks where multiple routes exist (different forward and


reverse paths), the default behavior of considering only active
routes can cause legitimate traffic to be dropped

• To address this, Junos can be configured to consider all feasible


routes to a destination when it performs RPF
Active vs Feasible Path
• In this mode, the system considers all routes it receives to a given
destination, even if they are not the active route to the destination

• This option should be activated where the possibility of asymmetric


routing exists
Fail Filter
• Allows you to perform additional processing on packets that have
failed the unicast RPF check

• Can perform operations such as accepting, rejecting, logging,


sampling or policing of packets
Fail Filter Use Cases
• Allow packets that would normally fail an RPF check, such as
BOOTP packets and DHCP packets – these packets have a source
address of 0.0.0.0 and a destination address of 255.255.255.255

• Allow failed packets to be further processed such as logging or


counting
firewall {
filter DHCP-BOOTP {
term ALLOW-DHCP-BOOTP {
from {
source-address 0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
}
then accept;
}
}
}

You might also like