On Wed, 14 May 2003, Lars Higham wrote:
Well, this is also from the docs:
Unicast reverse path-forwarding (uRPF) check is a tool to reduce forwarding of IP packets that may be spoofing an address. A uRPF check performs a route table lookup on an IP packet's source address, and checks the incoming interface. The router determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the router forwards the packet to the destination address. If it is not from a valid path, the router discards the packet. uRPF is supported for both Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6) protocol families.
Do you have more specific questions about the implementation?
The original question was along the lines of: "On a cisco the blackholed SOURCE address will get dumped in uRPF, is that possible on the Juniper also?"
Regards, Lars
-----Original Message----- From: Christopher L. Morrow [mailto:chris@UU.NET] Sent: Wednesday, May 14, 2003 9:37 AM To: Lars Higham Cc: 'Stefan Mink'; 'Haesu'; jtk@aharp.is-net.depaul.edu; nanog@merit.edu Subject: RE: Using Policy Routing to stop DoS attacks
On Wed, 14 May 2003, Lars Higham wrote:
Sorry,
I misunderstood the earlier question -
From the docs: To enable unicast RPF check, include the unicast-reverse-path statement at the [edit routing-options forwarding-table] hierarchy level: [edit] routing-options { forwarding-table{ unicast-reverse-path (active-paths | feasible-paths); } }
yes, the config bits are on the website.... BUT, not the details of the implementation :) So, does uRPF on a juniper work the same as the cisco?? :)
Regards, Lars Higham
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher L. Morrow Sent: Tuesday, May 13, 2003 2:00 AM To: Stefan Mink Cc: Haesu; jtk@aharp.is-net.depaul.edu; nanog@merit.edu Subject: Re: Using Policy Routing to stop DoS attacks
On Mon, 12 May 2003, Stefan Mink wrote:
On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote:
you could hold blackhole routes for these destinations in your route table (local or bgp) So long as the destination for the source is bad (null for instance) the traffic would get dropped. I believe the proper terms from cisco for this are: "So long as the adjacency is invalid" ...
is there a way to make this source-blackhole-routing work on J's too
(does this work with discard-routes too)?
I believe someone from Juniper should likely answer this question :) As I understand the setup from a Cisco perspective (and someone from Cisco can correct me if I get it wrong). uRPF works in such a way that if the source address's destination has an invalid FIB entry (or no entry, or Null0) the packets are dropped.
Perhaps Juniper implemented it this way? I have not checked anymore closely than this. Sorry. :(