Scribd
Upload
34 views12 pages

Unicast Reverse Path Forwarding

The document discusses unicast reverse path forwarding (RPF) which is a tool to reduce IP spoofing. RPF performs a route table lookup on a packet's source address and checks the incoming interface to determine if the packet is from a valid path. It can operate in loose or strict mode and consider only active routes or all feasible routes when performing the check. A fail filter allows processing of packets that fail the RPF check.

Uploaded by

sathyamoorthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views12 pages

Unicast Reverse Path Forwarding

The document discusses unicast reverse path forwarding (RPF) which is a tool to reduce IP spoofing. RPF performs a route table lookup on a packet's source address and checks the incoming interface to determine if the packet is from a valid path. It can operate in loose or strict mode and consider only active routes or all feasible routes when performing the check. A fail filter allows processing of packets that fail the RPF check.

Uploaded by

sathyamoorthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Unicast Reverse Path Forwarding

IP Spoofing
• IP spoofing is a method of attempting to gain access by inserting a
false source address in the packet header

• This makes the packet appear as if it’s coming from a trusted


source
Router 1
Incoming Packet ge-0/0/1
Source IP = 10.1.1.6
ge-0/0/0

10.1.1.0/24
firewall {
filter SPOOF-PREVENTION {
term DROP-SPOOFED-LAN {
from {
Router 1 source-address 10.1.1.0/24;
ge-0/0/1 }
WAN
then {
ge-0/0/0 discard;
}
}
term ALLOW-OTHERS {
then {
10.1.1.0/24 accept;
}
}
}
}
Unicast Reverse Path Forwarding
• Unicast reverse-path-forwarding (RPF) check is a tool to reduce
forwarding of IP packets that may be spoofing an address

• It performs a route table lookup on an IP packet’s source address


and checks the incoming interface

• If the packet is from a valid path, the router forwards the packet to
the destination address. Otherwise the router discards the packet
Unicast Reverse Path Forwarding
• Loose mode – the incoming packet’s source address must be in the
route table

• Strict mode – the incoming packet must be received on the


interface that would be used to forward traffic to the source IP
address

• Strict mode is the default


R2

R1 R4

R3 Active Path

Feasible Path
Active vs Feasible Path
• By default, when Junos performs its RPF check, it considers only
the active routes to a given destination

• In networks where multiple routes exist (different forward and


reverse paths), the default behavior of considering only active
routes can cause legitimate traffic to be dropped

• To address this, Junos can be configured to consider all feasible


routes to a destination when it performs RPF
Active vs Feasible Path
• In this mode, the system considers all routes it receives to a given
destination, even if they are not the active route to the destination

• This option should be activated where the possibility of asymmetric


routing exists
Fail Filter
• Allows you to perform additional processing on packets that have
failed the unicast RPF check

• Can perform operations such as accepting, rejecting, logging,


sampling or policing of packets
Fail Filter Use Cases
• Allow packets that would normally fail an RPF check, such as
BOOTP packets and DHCP packets – these packets have a source
address of 0.0.0.0 and a destination address of 255.255.255.255

• Allow failed packets to be further processed such as logging or


counting
firewall {
filter DHCP-BOOTP {
term ALLOW-DHCP-BOOTP {
from {
source-address 0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
}
then accept;
}
}
}

You might also like