Unicast RPF in Dynamic Profiles for Subscriber Interfaces
Unicast RPF in Dynamic Profiles for Subscriber Interfaces
Unicast reverse-path forwarding (RPF) provides a way to reduce the effect of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on IPv4 and IPv6 interfaces. When you configure unicast RPF on an interface, it checks the packet source address. Packets that pass the check are forwarded. Packets that fail the check are dropped, or if a fail filter is configured, are passed to the filter for further evaluation.
Unicast RPF has two behavioral modes, strict and loose. When you configure unicast RPF in a dynamic profile, strict mode is the default. In strict mode, unicast RPF checks whether the source address of the incoming packet matches a prefix in the routing table, and whether the interface expects to receive a packet with this source address prefix. In loose mode, unicast RPF checks only whether the source address has a match in the routing table. It does not check whether the interface expects to receive a packet from a specific source address.
For both modes, when an incoming packet fails the unicast RPF check, the packet is not accepted on the interface. Instead, unicast RPF counts the packet and sends it to an optional fail filter, if present. The fail filter determines what further action is taken on the packet. In the absence of a fail filter, the packet is silently discarded.
Starting in Junos OS
Release 19.1R1, the show interfaces statistics logical-interface-name detail command displays unicast RPF statistics for dynamic
logical interfaces when either rpf-check or rpf-check
mode loose is enabled on the interface. No additional statistics are displayed when rpf-check fail-filter filter-name is configured on the interface. The clear interfaces statistics logical-interface-name command clears RPF statistics.
Configuring Unicast RPF in Dynamic Profiles for Subscriber Interfaces
Unicast RPF provides a way to reduce the effect of denial-of-service attacks on IPv4 and IPv6 interfaces by checking the source IP address against the routing table. Packets that do not match are silently discarded, unless an optional fail filter is configured. The fail filter performs an additional check and directs some action be taken on certain packets. Typical actions include logging the packets or passing them even though they failed the RPF check.
Although the fail filter is technically optional, for dynamic profiles in a DHCP environment you must configure a filter to pass DHCP packets. By default, the RPF check prevents DHCP packets from being accepted on interfaces protected by the RPF check. The fail filter identifies the DHCP packets and passes them on.
To configure a unicast RPF check in a dynamic profile:
Configuring a Fail Filter for Unicast RPF in Dynamic Profiles for Subscriber Interfaces
This topic describes how to configure a fail filter at
the [edit firewall] hierarchy level that can be optionally
applied by unicast RPF for subscriber interfaces in dynamic profiles
on MX Series routers.
In contrast to statically configured fail filters, RPF-check fail filters used in a dynamic profile cannot be specific to a particular interface.
To configure a firewall fail filter:
Example: Configuring Unicast RPF in a Dynamic Profile on MX Series Routers
This example shows how to help defend the router ingress interfaces against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring unicast reverse-path forwarding (RPF) on a customer-edge interface to filter incoming traffic. Unicast RPF verifies the unicast source address of each packet that arrives on an ingress interface where unicast RPF is enabled. Packets that fail verification are silently discarded unless a fail filter performs some other action on them.
Requirements
This example uses the following software and hardware components:
An MX Series 5G Universal Routing Platform
Before you begin:
Configure the dynamic profile that you intend to use to apply the RPF check.
Overview
Large amounts of unauthorized traffic—such as attempts to flood a network with fake service requests in a denial-of-service (DoS) attack—can consume network resources and deny service to legitimate users. One way to help prevent DoS and distributed denial-of-service (DDoS) attacks is to verify that incoming traffic originates from legitimate network sources.
Unicast RPF helps ensure that a traffic source is legitimate (authorized) by comparing the source address of each packet that arrives on an interface to the forwarding-table entry for its source address. If the router uses the same interface that the packet arrived on to reply to the packet's source, this verifies that the packet originated from an authorized source, and the router forwards the packet. If the router does not use the same interface that the packet arrived on to reply to the packet's source, the packet might have originated from an unauthorized source, and the router discards the packet, or passes it to a fail filter.
The fail filter enables you to set criteria for packets you want to be passed in spite of failing the RPF check, such as DHCP packets, which are dropped by default.
On MX Series routers, you can configure unicast RPF in a dynamic profile to apply the configuration to one or more subscriber interfaces. See Understanding Unicast RPF (Routers) for more information about the behavior and limitations of unicast RPF on MX Series routers.
In this example, you configure the router to protect against potential DoS and DDoS attacks from the Internet perpetrated through IPv4 packets arriving on dynamically created VLAN demux interfaces. The dynamic profile, vlan-demux-prof, establishes that VLAN demux interfaces are automatically created for subscribers. Unicast RPF is enabled on the dynamic interfaces by the rpf-check term.
By default, unicast RPF prevents Dynamic Host Configuration Protocol (DHCP) packets from being accepted on interfaces to which it applies. When DHCP packets are discarded, no new subscribers can be created by the dynamic profile. To enable interfaces to accept DHCP packets, you must apply a fail filter that properly sorts through the packets that fail the check and identifies the DHCP packets. In this example, you configure the allow-dhcp term in the filter rpf-pass-dhcp. This term matches, counts, and accepts IPv4 packets that are destined for the DHCP port and any address. The default term drops all other packets that fail the RPF check.
This example does not show all possible configuration choices.
Topology
Configuration
To enable unicast RPF with a fail filter in a dynamic profile, perform these tasks:
- Configuring the Dynamic Profile to Apply RPF Checking to Dynamic VLAN Demux Interfaces
- Configuring the RPF-Check Fail Filter
Configuring the Dynamic Profile to Apply RPF Checking to Dynamic VLAN Demux Interfaces
CLI Quick Configuration
To quickly configure the dynamic profile to apply unicast RPF to dynamically created VLAN demux interfaces, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
edit dynamic-profiles vlan-demux-prof interfaces demux0 edit unit $junos-interface-unit set demux-options underlying-interface $junos-interface-ifd-name set vlan-id $junos-vlan-id edit family inet set unnumbered-address lo0.0 set rpf-check fail-filter rpf-pass-dhcp
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure unicast RPF on the router:
Create a dynamic profile.
[edit] user@host# edit dynamic-profiles vlan-demux-prof
Specify that the dynamic VLAN profile use the demux interface.
[edit dynamic-profiles vlan-demux-prof] user@host# edit interfaces demux0
Specify that the dynamic profile applies the demux interface unit value to the dynamic VLANs.
[edit dynamic-profiles vlan-demux-prof interfaces demux0] user@host# edit unit $junos-interface-unit
Specify the logical underlying interface for the dynamic VLANs.
[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit] user@host# set demux-options underlying-interface $junos-interface-ifd-name
Configure the variable that results in dynamically created VLAN IDs.
[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit] user@host# set vlan-id $junos-vlan-id
Configure the IPv4 address family for the demux interfaces.
[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit] user@host# edit family inet
Configure the unnumbered address for the family.
[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit family inet] user@host# set unnumbered-address lo0.0
Configure unicast RPF and specify the fail filter that is applied to incoming packets that fail the check.
[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit family inet] user@host# set fail-filter fail-filter rpf-pass-dhcp
Configuring the RPF-Check Fail Filter
CLI Quick Configuration
To quickly configure the unicast RPF-check fail filter, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
edit firewall family inet filter rpf-pass-dhcp edit term allow-dhcp set from destination-port dhcp set from destination-address 255.255.255.255/32 set then count rpf-dhcp-traffic set then accept up edit term default set then discard
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure the RPF-check fail filter:
Create the fail filter.
[edit firewall] user@host# edit family inet filter rpf-pass-dhcp
Define the filter term that identifies DHCP packets based on the DHCP destination port, then counts and passes the packets.
[edit firewall family inet filter rpf-pass-dhcp] user@host# edit term allow-dhcp user@host# set from destination-port dhcp user@host# set from destination-address 255.255.255.255/32 user@host# set then count rpf-dhcp-traffic user@host# set then accept
Define the filter term that drops all other failed packets.
[edit firewall filter rpf-pass-dhcp] user@host# edit term default user@host# set then discard
Results
From configuration mode, confirm the unicast RPF configuration by entering the show dynamic-profiles command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show dynamic-profiles
vlan-demux-prof {
interfaces {
demux0 {
unit "$junos-interface-unit" {
vlan-id "$junos-vlan-id";
demux-options {
underlying-interface "$junos-interface-ifd-name";
}
family inet {
unnumbered-address lo0.0;
rpf-check {
fail-filter rpf-pass-dhcp;
}
}
}
}
}
}
From configuration mode, confirm the fail filter configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show firewall
family inet {
filter rpf-pass-dhcp {
term allow-dhcp {
from {
destination-address {
255.255.255.255/32;
}
destination-port dhcp;
}
then {
count rpf-dhcp-traffic;
accept;
}
}
term default {
then {
discard;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That Unicast RPF Is Enabled on the Router
Purpose
Verify that unicast RPF is enabled.
Action
Verify that unicast RPF is enabled by using the show subscribers extensive command.
user@host> show subscribers extensive
Type: VLAN
Logical System: default
Routing Instance: default
Interface: ae0.1073741824
Interface type: Dynamic
Dynamic Profile Name: vlan-demux-prof
State: Active
Session ID: 9
VLAN Id: 100
Login Time: 2011-08-26 08:17:00 PDT
IPv4 rpf-check Fail Filter Name: rpf-pass-dhcp
Meaning
The IPv4 rpf-check Fail Filter Name field displays rpf-pass-dhcp, the name of the fail filter applied by the dynamic profile for IPv4 packets failing the RPF check.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
show interfaces statistics logical-interface-name detail command displays unicast RPF statistics for dynamic
logical interfaces when either rpf-check or rpf-check
mode loose is enabled on the interface.