Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Jan 18, 2017 7:38 pm


Author Message
admin
Post  Post subject: Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX  |  Posted: Fri Feb 01, 2013 12:05 pm
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 92

Offline
 

Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX

Unicast reverse path filtering is a router/firewall/switch feature that allows ISPs to counteract spoofing attempts.

On Junos, it can be activated per interface and for each incoming packet it will check the source IP against the FIB (Forward Information Base) if the source IP and incoming interface match.


Example of activating reverse path filter on an RVI interface:
Code:
LaR3@samantha# show interfaces vlan.22 | display set
set interfaces vlan unit 22 family inet rpf-check
set interfaces vlan unit 22 family inet address 10.1.22.1/27


Verifying if RPF is enabled:
Code:
LaR3@samantha# run show interfaces vlan.22 extensive
  Logical interface vlan.22 (Index 89) (SNMP ifIndex 528) (Generation 154)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.22 ]  Encapsulation: ENET2
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Security: Zone: dmz-zone
    Allowed host-inbound traffic : ping ntp
    Flow Statistics : 
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     1
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        202918
      Connections established :          1
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        213607
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 162, Route table: 0
      Flags: Sendbcast-pkt-to-re, uRPF 
      RPF Failures: Packets: 0, Bytes: 0       --> ENABLED
      Input Filters: classify-dmz-traffic
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.1.22.0/27, Local: 10.1.22.1, Broadcast: 10.1.22.31, Generation: 162


So my SRX expects 10.1.22.0/27 sourced packets on vlan.22 interface.

What will happen with an IP sourced from 192.168.1.2 for example ?... Let's check:
Code:
LaR3@samantha# run show route forwarding-table destination 192.168.1.2
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
192.168.1.0/24     intf     0                    rslv   596     1 vlan.8


So Junos expects 192.168.1.0/24 sourced packets on vlan.8 interface, not on vlan.22. Let's see what happens if I send such a packet on the network to SRX:
Code:
LaR3@samantha# run show interfaces vlan.22 extensive | match rpf                             
      Flags: Sendbcast-pkt-to-re, uRPF
      RPF Failures: Packets: 1, Bytes: 40


So the TCP SYN packet was dropped and logged to interface counters.

What if we want to see more details on what customers are spoofing the most ?

Well, you can apply a firewall filter to those packets that fail the RPF check (spoofed):
Code:
LaR3@samantha# show interfaces vlan.22 | display set
set interfaces vlan unit 22 family inet rpf-check fail-filter log-rpf
set interfaces vlan unit 22 family inet address 10.1.22.1/27

[edit]
LaR3@samantha# show firewall filter log-rpf
term 0 {
    then log;
}




The "log-rpf" filter will be applied to all packets failing the rpf check (spoofed). To verify this:
Code:
LaR3@samantha# run show firewall log detail interface vlan.22
Time of Log: 2013-02-01 15:58:46 UTC, Filter: pfe, Filter action: accept, Name of interface: vlan.22
Name of protocol: TCP, Packet Length: 40, Source address: 192.168.1.2:46017, Destination address: 8.8.8.8:61510
Time of Log: 2013-02-01 15:58:27 UTC, Filter: pfe, Filter action: accept, Name of interface: vlan.22
Name of protocol: TCP, Packet Length: 40, Source address: 10.1.23.2:33204, Destination address: 8.8.8.8:53546


Note, that applying above firewall filter to rpf fail packets will allow those packets, so if you want them dropped, set the correct action in the filter.





Top
admin
Post  Post subject: Re: Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX  |  Posted: Fri Feb 01, 2013 12:09 pm
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 92

Offline
More info:
http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/configuring-unicast-reverse-path-forwarding-check.html
http://www.juniper.net/techpubs/en_US/junos12.1/topics/topic-map/unicast-rpf.html
http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/unicast-rpf-ex-series.html


Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. BGP Blackhole (RTBH) with Juniper SRX firewall

mandrei99

0

2354

Thu May 29, 2014 6:45 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX firewall debug: packet dropped: for self but not interested

admin

0

1460

Mon Jun 23, 2014 3:52 am

admin View the latest post

There are no new unread posts for this topic. Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

admin

2

447

Wed May 11, 2016 9:15 pm

admin View the latest post

There are no new unread posts for this topic. Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets

admin

0

294

Thu Mar 10, 2016 11:31 am

admin View the latest post

There are no new unread posts for this topic. Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)

admin

0

929

Tue Jun 19, 2012 8:38 am

admin View the latest post

There are no new unread posts for this topic. Juniper SRX packet mode switch back to flow mode (verification)

mandrei99

1

2833

Tue May 28, 2013 11:10 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4

debuser

0

952

Sun Jun 03, 2012 3:46 pm

debuser View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO