From Perimeter Router Security Technical Implementation Guide Juniper
Part of uRPF strict mode or ACL not enabled on egress interface.
Associated with IA controls: ECSC-1
When Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would use to forward the return packet.
Step 1: Verify that uRPF check is enabled. The unicast-reverse-path statement must be included in the routing-options forwarding-table hierarchy level. The configuration should look similar to the following: routing-options { forwarding-table { unicast-reverse-path active-paths; } } Note: To consider all feasible paths during the uRPF check, include the feasible-paths option. Feasible is a superset of active path. For example, if you have a BGP session where you receive a route advertisement and you accept it (but it is not active, because there's some other route with better preference), that's considered a feasible path. Step 2: Verify that uRPF strict mode is enabled on all internal interfaces. The absence of the mode loose statement defaults to strict mode. The configuration should look similar to the following: interfaces { so-0/0/0 { unit 0 { family inet { rpf-check; } } } } Step 3: If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface. However, when a packet is not accepted on an interface, unicast RPF counts the packet and may send it to an optional fail-filter. You can define the fail-filter to perform any operation, including accepting, rejecting, logging, sampling, or policing. Hence, if a fail-filter was defined as shown in the below, verify that it does not accept the packet. The configuration should look similar to the following: interfaces { so-0/0/0 { unit 0 { family inet { rpf-check fail-filter rpf-fail; } } } } firewall { filter rpf-fail { term 1 { then { log; reject; } } } } ACL Example: [edit interfaces] fe-2/0/10 { description "downstream link to our network”; unit 0 { family inet { filter { input egress-filter; } address 199.36.90.1/24; } } } } [edit firewall] family inet { filter egress-filter { term term-established { from { protocol tcp; tcp-established; } then accept; } term ext-DNS { from { source-address { 201.111.2.130/32; } protocol udp; source-port 53; } then accept; } } term http-ftp { from { source-address { 201.111.2.0/24; } protocol tcp; destination-port [20 21 80 443 ]; } then accept; } } . . . term default-action { then { syslog; discard; } } } }
Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer