Mailing List Archive: Unicast RPF

Unicast RPF

Jan 9, 2003, 10:32 AM

Post #1 of 4 (2008 views)

Hi all,

At present i am currently looking into implementing uRPF within or network
('GEANT'), as such we would like to roll the feature out first in a
non-traffic effecting role so that we can observe the implications it would
have on the router and production traffic. Our intention is to set the
policy so that we accept and log all traffic that fails the check so that
we can work on negating legitimate traffic that is taking an asymmetric
path. Is it possible to log the flows of traffic that fail the check rather
than each packet individually?

Any ideas or information would be greatly appreciated.

cheers,
Rob
_________________________________________________________________

* * Rob Walton - Network engineer
* *
* Francis House Tel +44 1223 302 992
* 112 Hills Road Fax +44 1223 303 005
* Cambridge CB2 1PQ
D A N T E United Kingdom
_________________________________________________________________

Unicast RPF [ In reply to ]

jesper at skriver

Jan 9, 2003, 10:55 AM

Post #2 of 4 (1945 views)

Permalink

On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:

> Hi all,
>
> At present i am currently looking into implementing uRPF within
> or network ('GEANT'), as such we would like to roll the feature out
> first in a non-traffic effecting role so that we can observe the
> implications it would have on the router and production traffic. Our
> intention is to set the policy so that we accept and log all traffic
> that fails the check so that we can work on negating legitimate
> traffic that is taking an asymmetric path. Is it possible to log
> the flows of traffic that fail the check rather than each packet
> individually?

Not to my knowledge, but that's trivial to get from the logged
information.

> Any ideas or information would be greatly appreciated.

intefaces {
foo {
unit 0 {
family inet {
rpf-check fail-filter allow-and-log;
}
}
}
}
firewall {
family inet {
filter allow-and-log {
term allow-and-log {
then {
log;
accept;
}
}
}
}
}

/Jesper

Unicast RPF [ In reply to ]

pekkas at netcore

Jan 9, 2003, 11:00 AM

Post #3 of 4 (1950 views)

Permalink

On Thu, 9 Jan 2003, Jesper Skriver wrote:
> On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
>
> > Hi all,
> >
> > At present i am currently looking into implementing uRPF within
> > or network ('GEANT'), as such we would like to roll the feature out
> > first in a non-traffic effecting role so that we can observe the
> > implications it would have on the router and production traffic. Our
> > intention is to set the policy so that we accept and log all traffic
> > that fails the check so that we can work on negating legitimate
> > traffic that is taking an asymmetric path. Is it possible to log
> > the flows of traffic that fail the check rather than each packet
> > individually?
>
> Not to my knowledge, but that's trivial to get from the logged
> information.
>
> > Any ideas or information would be greatly appreciated.
>
> intefaces {
> foo {
> unit 0 {
> family inet {
> rpf-check fail-filter allow-and-log;
> }
> }
> }
> }

You forgot the stetement:

routing-options {
forwarding-table {
unicast-reverse-path active-paths;
}
}

(or 'feasible-paths'), I think ?

> firewall {
> family inet {
> filter allow-and-log {
> term allow-and-log {
> then {
> log;
> accept;
> }
> }
> }
> }
> }
>
> /Jesper
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Unicast RPF [ In reply to ]

jesper at skriver

Jan 9, 2003, 11:21 AM

Post #4 of 4 (1972 views)

Permalink

On Thu, Jan 09, 2003 at 06:02:10PM +0200, Pekka Savola wrote:
> On Thu, 9 Jan 2003, Jesper Skriver wrote:
> > On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
> >
> > > Hi all,
> > >
> > > At present i am currently looking into implementing uRPF within
> > > or network ('GEANT'), as such we would like to roll the feature out
> > > first in a non-traffic effecting role so that we can observe the
> > > implications it would have on the router and production traffic. Our
> > > intention is to set the policy so that we accept and log all traffic
> > > that fails the check so that we can work on negating legitimate
> > > traffic that is taking an asymmetric path. Is it possible to log
> > > the flows of traffic that fail the check rather than each packet
> > > individually?
> >
> > Not to my knowledge, but that's trivial to get from the logged
> > information.
> >
> > > Any ideas or information would be greatly appreciated.
> >
> > intefaces {
> > foo {
> > unit 0 {
> > family inet {
> > rpf-check fail-filter allow-and-log;
> > }
> > }
> > }
> > }
>
> You forgot the stetement:
>
> routing-options {
> forwarding-table {
> unicast-reverse-path active-paths;
> }
> }
>
> (or 'feasible-paths'), I think ?

That is the equivalent of

interfaces {
foo {
unit 0 {
family inet {
rpf-check fail-filter allow-and-log;
mode [ loose | strict ];
}
}
}
}

strict is the default an equivalent with your version using
active-paths, loose mode is your version with feasible-paths

/Jesper

--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Senior network engineer @ AS3292, TDC

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.