Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Jan 18, 2017 7:37 pm


Author Message
mandrei99
  Post  Post subject: Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface  |  Posted: Thu May 30, 2013 9:20 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface

Junos - SRX - communicating with the loopback lo0 interface of a remote device

The structure of Junos on the SRX platforms is a little more complicated from all other platforms due to security zones and policies.

Communication flow path with the IP address of an SRX (running in flow mode) loopback lo0.0 interface starting with Junos 11 iirc, is changed due to the fact that loopback needs to be assigned to a security zone.

Below are the walls that a packet will hit before it reaches the destination IP on the lo0.0 interface.
Configuration before I begin:
Code:
root@daniel# show interfaces fe-0/0/7 
unit 0 {
    family inet {
        address 10.0.0.1/24;
    }
}

[edit]
root@daniel# show interfaces lo0.0       
family inet {
    address 192.168.27.1/32;
}

[edit]
root@daniel# top show security zones
security-zone trust {
    interfaces {
        fe-0/0/7.0;
    }
}

Assuming we have a random host (preferably UNIX) with a static or dynamic route in place having IP 10.0.0.2 directly connected to an SRX 100 on interface fe-0/0/7 (zone "trust") with IP 10.0.0.1 and a loopback lo0.0 IP 192.168.27.1. A ping from <UNIX HOST> to 192.168.27.1 starting with Junos 11 will:

1. Check outgoing interface zone, as the security framework is based on zone-to-zone policies.
Since loopback is not assigned by default to any zone, packet is dropped.

Logs outputing what happens if lo0 interface is not assigned to any zone:
Code:
May 30 12:47:16 12:47:16.647867:CID-0:RT:  chose interface fe-0/0/7.0 as incoming nat if.
...
May 30 12:47:16 12:47:16.647867:CID-0:RT:Changing out-ifp from .local..0 to lo0.0 for dst: 192.168.27.1 in vr_id:0
May 30 12:47:16 12:47:16.647867:CID-0:RT:  routed (x_dst_ip 192.168.27.1) from trust (fe-0/0/7.0 in 0) to lo0.0, Next-hop: 192.168.27.1
May 30 12:47:16 12:47:16.647867:CID-0:RT:  packet dropped, out_ifp is null or in null-zone
May 30 12:47:16 12:47:16.647867:CID-0:RT:Out-ifp lo0.0 is null or in null zone
May 30 12:47:16 12:47:16.647867:CID-0:RT:  flow find session returns error.

Assinging lo0 to a security zone:
Code:
set security zones security-zone re interfaces lo0.0


2. If loopback interface is assigned to a zone (let's say "re" in my example), next Junos will check security policies from security zone of incoming physical interface ("trust") to the security zone that loopback belongs to ("re"):
Code:
May 30 12:48:57 12:48:57.548449:CID-0:RT:  chose interface fe-0/0/7.0 as incoming nat if.
May 30 12:48:57 12:48:57.548449:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone re (0x0,0x122f,0x122f)
May 30 12:48:57 12:48:57.548449:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 30 12:48:57 12:48:57.548449:CID-0:RT:  packet dropped, denied by policy
May 30 12:48:57 12:48:57.548449:CID-0:RT:  denied by policy default-policy-00(2), dropping pkt
May 30 12:48:57 12:48:57.548449:CID-0:RT:  packet dropped,  policy deny.
May 30 12:48:57 12:48:57.548449:CID-0:RT:  flow find session returns error.


Since no policy is in place, default policy (drop) will take action on the packet.
Let's create a policy from "trust" to "re" to permit everything (for convenience):
Code:
# set security policies from-zone trust to-zone re policy any match source-address any
# set security policies from-zone trust to-zone re policy any match destination-address any
# set security policies from-zone trust to-zone re policy any match application any
# set security policies from-zone trust to-zone re policy any then permit
# set security policies default-policy permit-all


3. Now that the loopback is assigned to a security zone and a security policy to permit traffic from trust to re is in place, there is one more impediment:
Code:
May 30 12:54:59 12:54:59.143260:CID-0:RT:  chose interface fe-0/0/7.0 as incoming nat if.
May 30 12:54:59 12:54:59.143260:CID-0:RT:  routed (x_dst_ip 192.168.27.1) from trust (fe-0/0/7.0 in 0) to lo0.0, Next-hop: 192.168.27.1
May 30 12:54:59 12:54:59.143260:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone re (0x0,0x1238,0x1238)
May 30 12:54:59 12:54:59.143260:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
May 30 12:54:59 12:54:59.143260:CID-0:RT:  permitted by policy any(4)
May 30 12:54:59 12:54:59.143260:CID-0:RT:  post addr xlation: 10.0.0.2->192.168.27.1.
May 30 12:54:59 12:54:59.143260:CID-0:RT:  flow_first_create_session
May 30 12:54:59 12:54:59.143260:CID-0:RT:  chose interface lo0.0 as incoming nat if.
May 30 12:54:59 12:54:59.143260:CID-0:RT:  packet dropped: for self but not interested
May 30 12:54:59 12:54:59.143260:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
May 30 12:54:59 12:54:59.143260:CID-0:RT:  flow find session returns error.

The above means that PFE is not interested in the packet destined for loopback, which is a routing engine interface.

The final step is to tell the forwarding engine which services and/or protocols it needs to pass to routing engine using host-inbound-traffic:
Code:
# set security zones security-zone re interfaces lo0.0 host-inbound-traffic system-services ping


Now, icmp packets only will traverse the forwarding engine of the SRX security device and will reach IP address of the device's loopback interface.

Note: on the "trust" security zone there is no need for "host-inbound-traffic" directive unless the destination of the packets is the IP address of the interface belonging to the zone.

Hope this helps.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Juniper SRX packet mode switch back to flow mode (verification)

mandrei99

1

2833

Tue May 28, 2013 11:10 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

admin

2

447

Wed May 11, 2016 9:15 pm

admin View the latest post

There are no new unread posts for this topic. Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4

debuser

0

952

Sun Jun 03, 2012 3:46 pm

debuser View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO