[j-nsp] uRPF config

Jack.W.Parks at alltel.com Jack.W.Parks at alltel.com
Thu Sep 18 10:02:59 EDT 2003 

Is the following stanza required for uRPF?

   [edit interfaces fe-0/0/0]
     unit 0 {
	family inet {
	    rpf-check;
        }
      }

If  [edit routing-options forwarding-table]
	unicast-reverse-path feasible-paths;
is 'only' configured, are you actually doing uRpF checks?

Jack

-----Original Message-----
From: Pekka Savola [mailto:pekkas at netcore.fi] 
Sent: Thursday, September 18, 2003 6:42 AM
To: Sonny Franslay
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] uRPF config


On Thu, 18 Sep 2003, Sonny Franslay wrote:
> > In other words, feasible path strict uRPF works in most cases also 
> > with asymmetrical routing and multihomed scenarios.  This is only 
> > implemented by Juniper AFAIK.
> 
> so what is the significant of "rpf-check mode loose" on the interface 
> when I use feasible path?

No different when you're using active paths.  Remember that with loose
mode, you allow any route anyway.  If you only mean to use loose mode
though, I'd recommend use active paths -- fewer things to keep track of.

The difference between feasible and active paths in this context is just
a race condition, it seems.  

By the definition, feasible paths just gives you "more"  than just one
active path.  The list of all paths is still the same.
 
> Also what would the be the effect when I have a default route 
> configured?

For (strict) routes, it depends on where the default route points to.
If it's a real default route, I think the loose mode is useless -- but
this should be confirmed or tested -- there are some implementations
which ignore default routes when doing a loose RPF lookup.

What we've been unable to get a clear answer from is whether a _static 
null default route_ will yield the same behaviour as a default route 
pointing to some real interface.

I think our non-tested analysis was that null default routes and loose
RPF 
were compatible, but I wouldn't depend on that.

> As far as I can gather from the juniper.net/techpubs is this: "Loose 
> mode-All packets are automatically accepted. For this reason, we 
> recommend that you not configure unicast RPF loose mode on interfaces 
> that the default route uses."

Right, but this doesn't really answer the question of these typically
necessary "null default routes"..

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list