[j-nsp] urpf

Chuck Anderson cra at WPI.EDU
Fri Feb 28 17:38:58 EST 2014


On Fri, Feb 28, 2014 at 03:03:57PM -0700, thomas.bowlby wrote:
> Installing some juniper routers as borders and need specifically RTBH functionality.
> This was accomplished by upgrading code to > 12.1 (specifically 12.3R4.5) and including 
> 'set forwarding-options rpf-loose-mode-discard family inet'
> 'set forwarding-options rpf-loose-mode-discard family inet6'
> 
> Issue running up against is the current need to have a default (although as of today we receive full-tables) and if source is not in table and hits the default route is discarded.
> 
> I don’t see a option similar to other vendor for allow-default.
> current solution seems to include two different statics for 0.0.0.0/1 and 128.0.0.0/1.
> other options I’m unaware of?

What does your default route look like?  Is it a static default with a
reject next hop?  Can you instead use a generate route and does that
help?  Something like this:

set routing-options rib inet6.0 generate route ::/0 policy DEFAULT-CONTRIB
set routing-options generate route 0.0.0.0/0 policy DEFAULT-CONTRIB
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 128.63.2.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.5.4.0/23 orlonger
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.33.4.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.36.148.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.58.128.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.112.36.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.203.230.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.228.79.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 193.0.14.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 198.41.0.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 199.7.83.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 199.7.91.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 202.12.27.0/24 exact
set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET then accept
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:1::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:2d::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:2f::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:3::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:503:ba3e::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:503:c27::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:7fd::/48 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:7fe::/33 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:dc3::/32 exact
set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET then accept
set policy-options policy-statement DEFAULT-CONTRIB term REJECT then reject


Another idea might be to filter the default route from the forwarding
table to see if that prevents uRPF discard mode from triggering:

set routing-options forwarding-table export REJECT-DEFAULT
set policy-options policy-statement REJECT-DEFAULT from route-filter 0.0.0.0/0 exact
set policy-options policy-statement REJECT-DEFAULT then reject


More information about the juniper-nsp mailing list