[j-nsp] uRPF config

Fri Sep 19 10:28:49 EDT 2003

On Thu, 18 Sep 2003 Jack.W.Parks at alltel.com wrote:
> Is the following stanza required for uRPF?
> 
>    [edit interfaces fe-0/0/0]
>      unit 0 {
> 	family inet {
> 	    rpf-check;
>         }
>       }

Yes.

> If  [edit routing-options forwarding-table]
> 	unicast-reverse-path feasible-paths;
> is 'only' configured, are you actually doing uRpF checks?

you don't have to set routing-options-forwarding-table 
unicast-reverse-path; it defaults to active-paths.  If you want to change 
the behaviour to cater for feasible paths also, you can set up the 
additional toggle, switching on additional features in the interfaces 
where you've configured rpf-check.

> -----Original Message-----
> From: Pekka Savola [mailto:pekkas at netcore.fi] 
> Sent: Thursday, September 18, 2003 6:42 AM
> To: Sonny Franslay
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] uRPF config
> 
> 
> On Thu, 18 Sep 2003, Sonny Franslay wrote:
> > > In other words, feasible path strict uRPF works in most cases also 
> > > with asymmetrical routing and multihomed scenarios.  This is only 
> > > implemented by Juniper AFAIK.
> > 
> > so what is the significant of "rpf-check mode loose" on the interface 
> > when I use feasible path?
> 
> No different when you're using active paths.  Remember that with loose
> mode, you allow any route anyway.  If you only mean to use loose mode
> though, I'd recommend use active paths -- fewer things to keep track of.
> 
> The difference between feasible and active paths in this context is just
> a race condition, it seems.  
> 
> By the definition, feasible paths just gives you "more"  than just one
> active path.  The list of all paths is still the same.
>  
> > Also what would the be the effect when I have a default route 
> > configured?
> 
> For (strict) routes, it depends on where the default route points to.
> If it's a real default route, I think the loose mode is useless -- but
> this should be confirmed or tested -- there are some implementations
> which ignore default routes when doing a loose RPF lookup.
> 
> What we've been unable to get a clear answer from is whether a _static 
> null default route_ will yield the same behaviour as a default route 
> pointing to some real interface.
> 
> I think our non-tested analysis was that null default routes and loose
> RPF 
> were compatible, but I wouldn't depend on that.
> 
> > As far as I can gather from the juniper.net/techpubs is this: "Loose 
> > mode-All packets are automatically accepted. For this reason, we 
> > recommend that you not configure unicast RPF loose mode on interfaces 
> > that the default route uses."
> 
> Right, but this doesn't really answer the question of these typically
> necessary "null default routes"..
> 
> 

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings