UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) Strict mode or via egress ACL.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3164 NET0950 SV-15424r2_rule ECSC-1 High
Description
When Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would use to forward the return packet.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2016-12-23

Details

Check Text ( C-12891r2_chk )
Step 1: Verify that uRPF check is enabled. The unicast-reverse-path statement must be included in the
routing-options forwarding-table hierarchy level. The configuration should look similar to the following:

routing-options {
forwarding-table {
unicast-reverse-path active-paths;
}
}

Note: To consider all feasible paths during the uRPF check, include the feasible-paths option. Feasible is a
superset of active path. For example, if you have a BGP session where you receive a route advertisement
and you accept it (but it is not active, because there's some other route with better preference), that's
considered a feasible path.

Step 2: Verify that uRPF strict mode is enabled on all internal interfaces. The absence of the mode
loose statement defaults to strict mode. The configuration should look similar to the following:

interfaces {
so-0/0/0 {
unit 0 {
family inet {
rpf-check;
}
}
}
}

Step 3: If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface.
However, when a packet is not accepted on an interface, unicast RPF counts the packet and may send it to
an optional fail-filter. You can define the fail-filter to perform any operation, including accepting,
rejecting, logging, sampling, or policing. Hence, if a fail-filter was defined as shown in the below, verify
that it does not accept the packet. The configuration should look similar to the following:

interfaces {
so-0/0/0 {
unit 0 {
family inet {
rpf-check fail-filter rpf-fail;
}
}
}
}

firewall {
filter rpf-fail {
term 1 {
then {
log;
reject;
}
}
}
}

ACL Example:
[edit interfaces]
fe-2/0/10 {
description "downstream link to our network”;
unit 0 {
family inet {
filter {
input egress-filter;
}
address 199.36.90.1/24;
}
}
}
}

[edit firewall]
family inet {
filter egress-filter {
term term-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term ext-DNS {
from {
source-address {
201.111.2.130/32;
}
protocol udp;
source-port 53;
}
then accept;
}
}
term http-ftp {
from {
source-address {
201.111.2.0/24;
}
protocol tcp;
destination-port [20 21 80 443 ];
}
then accept;
}
}
.
.
.
term default-action {
then {
syslog;
discard;
}
}
}
}
Fix Text (F-3189r5_fix)
Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL.