Juniper Unicast Reverse-Path-Forwarding (unicast RPF) feature is used to prevent spoofing attacks in which intruder spoof the source IP address in a way to seem that it comes from a legitimate address and it is usually used in DoS attacks.

Juniper Unicast Reverse-Path-Forwarding Fundamental

what is IP Spoofing?

To better understand how unicast RPF feature works, let’s first check what is IP spoofing.

what is IP Spoofing
what is IP Spoofing

This is an enterprise network in which LAN and data center are connected to the internet through enterprise core. 192.168.1.0/24 is the IP address range of LAN network and 172.16.1.0/24 is the IP address range of data center network.

LAN network is connected to the enterprise core through gigabit ethernet 1. Data center is connected to the enterprise core through gigabit ethernet 2. And interface gigabit ethernet 3 is to connect the network to the internet.

Now suppose that an attacker send a traffic from internet to the data center but with source address of 192.168.1.x which is obviously a fake IP address since the source of 192.168.1.x is located in interface gigabit ethernet 1 but the traffic is received in gigabit ethernet 3. this is what we call spoofing of the source IP address.

An attacker change the source IP address to show that it comes from a legitimate source so it can bypass firewall and filtering tools. Spoofing the source IP address very normal in DoS attacks.

How we can detect that a packet is spoofed and how we can prevent packet spoofing?

In this figure from human point of view it is completely obvious. But let’s check how router or a firewall can detect and prevent it

how IP Spoofing is prevented?

Packet spoofing is detected with the help of routing table.

how IP Spoofing is detected
how IP Spoofing is detected

As you can see in the routing table, route knows that 192.168.1.0/24 and 172.16.1.0/24 is connected to gigabit ethernet 1 and gigabit ethernet 2 and default route outgoing interface is gigabit ethernet 3.

When a packet is received in the router, the source of the packet is checked with routing table and the packet must be received in outgoing interface of the active route for the source IP address otherwise it will be discarded.

In this example the packet is received with source of 192.168.1.x and gigabit ethernet 1 is the outgoing interface of active route for the address 192.168.1.0/24, but the packet is received in gigabit ethernet 3. So this is an spoofing packet and will be discarded.

This is exactly how unicast RFP strict mode works.

Juniper Unicast Reverse-Path-Forwarding strict and loose Modes

What we have explained is exactly unicast reverse-path-forwarding strict mode and is the default mode of RPF in juniper devices.

But there is another mode for unicast RPF which is called loose mode in which outgoing interface is not important and what is important is that there is a route for the source IP address. and if there is no route for the source IP address the packet will be discarded.

In this example, LAN, data center and WAN with IP address ranges 192.168.1.0/24, 172.16.1.0/24 and 10.10.0.0/16 are connected to interface gigabit ethernet 1, gigabit ethernet 2 and gigabit ethernet 3.

unicast RPF strict mode versus loose mode
unicast RPF strict mode versus loose mode

A packet is received in interface gigabit ethernet 3 with source address of 192.168.1.10. this packet will be permitted by unicast RPF loose mode since there is a route for 192.168.1.0/24 in the routing table. But this packet is discarded by unicast RPF default strict mode since the outgoing interface of 192.168.1.0/24 is gigabit ethernet 1 but the packet is received in gigabit ethernet 3.

Unicast RPF loose mode will permit all packets if there is a default route in the routing table since the route will match every packet with any source IP address. in other words unicast RPF loose mode is somehow useless when there is a default route in the routing table.

I have pointed “somehow”, since loose mode can discard packets with the source address pointing to the discard interface which is out of our discussion.

unicast RPF loose mode is useless with default route in the routing table
unicast RPF loose mode is useless with default route in the routing table

Juniper Unicast Reverse-Path-Forwarding Basic Configuration

To enable unicast RPF feature in any interface, we use the command “rpf-check” for the strict mode and “rpf-check mode loose” for loose mode inside interface contextmode.

!!! strict mode
set interfaces ge-0/0/0 unit 0 family inet rpf-check
!!! loose mode
set interfaces ge-0/0/0 unit 0 family inet rpf-check mode loose

Juniper Unicast RPF Active-Path and Feasible Path

If a packet is received in an interface, in which more than one route exist for the source of the packet, then only the active route will be used to decide if packet will be discarded or allowed to be transferred.

To better understand it, in this figure a router receive a packet in interface G1 with the source address of 192.168.1.10. but in the routing table of the router, there are two path for the address 192.168.1.0/24 and outgoing interface G2 is the active route.

Unicast RPF Active versus Feasible Paths
Unicast RPF Active versus Feasible Paths

By default this packet is discarded in strict mode since only active route is the decision criteria for RPF checking.

With the command “set routing-options forwarding-table unicast-reverse-path feasible-paths”, we can change the policy so that the feasible paths are also acceptable to RPF check. This can be especially useful in networks with asymmetric routing.

!!! unicast RPF active-path or feasible-path
set routing-options forwarding-table unicast-reverse-path active-paths
or
set routing-options forwarding-table unicast-reverse-path feasible-paths

use Fail-Filter to bypass Unicast RPF check

There is another feature in juniper Reverse-Path-Forwarding, name “fail-filter”  to bypass unicast RPF check for some traffic. these traffic don’t pass RPF check but they are legitimate

For example the source of one DHCP packet is “0.0.0.0” and destination is “255.255.255.255”. if this packet is received on an interface with RPF checking, then it will be discarded.

To configure fail-filter, we have to first configure a firewall filter to accept these special packets then we apply it to the interface RPF check command.

!!! unicast RPF fail-filter

set firewall filter rpf-special-case-dhcp term allow-dhcp from source-address 0.0.0.0/32
set firewall filter rpf-special-case-dhcp term allow-dhcp from destination-address 255.255.255.255/32
set firewall filter rpf-special-case-dhcp term allow-dhcp then count rpf-dhcp-traffic
set firewall filter rpf-special-case-dhcp term allow-dhcp then accept
set firewall filter rpf-special-case-dhcp term default then log
set firewall filter rpf-special-case-dhcp term default then reject

set interfaces ge-0/0/0 unit 0 family inet rpf-check fail-filter rpf-special-case-dhcp
Back to: Juniper Junos Associate version 22.1R1.10 (JNCIA-Junos) > Junos Routing Policy and Firewall Filters

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment