[j-nsp] urpf

Tlb thomas.bowlby at gmail.com
Sat Mar 1 17:08:05 EST 2014 

Default is to valid next-hop.
This definitely helps as the generate route was option I had previously not explored.


> ---------------------------
> Date: Fri, 28 Feb 2014 17:38:58 -0500
> From: Chuck Anderson <cra at WPI.EDU>
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] urpf
> Message-ID: <20140228223857.GE9011 at angus.ind.WPI.EDU>
> Content-Type: text/plain; charset=utf-8

>> On Fri, Feb 28, 2014 at 03:03:57PM -0700, thomas.bowlby wrote:
>> Installing some juniper routers as borders and need specifically RTBH functionality.
>> This was accomplished by upgrading code to > 12.1 (specifically 12.3R4.5) and including 
>> 'set forwarding-options rpf-loose-mode-discard family inet'
>> 'set forwarding-options rpf-loose-mode-discard family inet6'
>> 
>> Issue running up against is the current need to have a default (although as of today we receive full-tables) and if source is not in table and hits the default route is discarded.
>> 
>> I don?t see a option similar to other vendor for allow-default.
>> current solution seems to include two different statics for 0.0.0.0/1 and 128.0.0.0/1.
>> other options I?m unaware of?
> 
> What does your default route look like?  Is it a static default with a
> reject next hop?  Can you instead use a generate route and does that
> help?  Something like this:
> 
> set routing-options rib inet6.0 generate route ::/0 policy DEFAULT-CONTRIB
> set routing-options generate route 0.0.0.0/0 policy DEFAULT-CONTRIB
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 128.63.2.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.5.4.0/23 orlonger
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.33.4.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.36.148.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.58.128.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.112.36.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.203.230.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 192.228.79.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 193.0.14.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 198.41.0.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 199.7.83.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 199.7.91.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET from route-filter 202.12.27.0/24 exact
> set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET then accept
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:1::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:2d::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:2f::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:500:3::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:503:ba3e::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:503:c27::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:7fd::/48 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:7fe::/33 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET from route-filter 2001:dc3::/32 exact
> set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET then accept
> set policy-options policy-statement DEFAULT-CONTRIB term REJECT then reject
> 
> 
> Another idea might be to filter the default route from the forwarding
> table to see if that prevents uRPF discard mode from triggering:
> 
> set routing-options forwarding-table export REJECT-DEFAULT
> set policy-options policy-statement REJECT-DEFAULT from route-filter 0.0.0.0/0 exact
> set policy-options policy-statement REJECT-DEFAULT then reject
> 
> 
> ------------------------------

More information about the juniper-nsp mailing list