The network device must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) Strict mode or via egress ACL.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3164	NET0950	SV-15424r2_rule	ECSC-1	High

Description
When Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would use to forward the return packet.

STIG	Date
Perimeter Router Security Technical Implementation Guide Juniper	2018-11-28

Details

Check Text ( C-12891r2_chk )
Step 1: Verify that uRPF check is enabled. The unicast-reverse-path statement must be included in the routing-options forwarding-table hierarchy level. The configuration should look similar to the following: routing-options { forwarding-table { unicast-reverse-path active-paths; } } Note: To consider all feasible paths during the uRPF check, include the feasible-paths option. Feasible is a superset of active path. For example, if you have a BGP session where you receive a route advertisement and you accept it (but it is not active, because there's some other route with better preference), that's considered a feasible path. Step 2: Verify that uRPF strict mode is enabled on all internal interfaces. The absence of the mode loose statement defaults to strict mode. The configuration should look similar to the following: interfaces { so-0/0/0 { unit 0 { family inet { rpf-check; } } } } Step 3: If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface. However, when a packet is not accepted on an interface, unicast RPF counts the packet and may send it to an optional fail-filter. You can define the fail-filter to perform any operation, including accepting, rejecting, logging, sampling, or policing. Hence, if a fail-filter was defined as shown in the below, verify that it does not accept the packet. The configuration should look similar to the following: interfaces { so-0/0/0 { unit 0 { family inet { rpf-check fail-filter rpf-fail; } } } } firewall { filter rpf-fail { term 1 { then { log; reject; } } } } ACL Example: [edit interfaces] fe-2/0/10 { description "downstream link to our network”; unit 0 { family inet { filter { input egress-filter; } address 199.36.90.1/24; } } } } [edit firewall] family inet { filter egress-filter { term term-established { from { protocol tcp; tcp-established; } then accept; } term ext-DNS { from { source-address { 201.111.2.130/32; } protocol udp; source-port 53; } then accept; } } term http-ftp { from { source-address { 201.111.2.0/24; } protocol tcp; destination-port [20 21 80 443 ]; } then accept; } } . . . term default-action { then { syslog; discard; } } } }

Check Text ( C-12891r2_chk )

Step 1: Verify that uRPF check is enabled. The unicast-reverse-path statement must be included in the
routing-options forwarding-table hierarchy level. The configuration should look similar to the following:

routing-options {
forwarding-table {
unicast-reverse-path active-paths;
}
}

Note: To consider all feasible paths during the uRPF check, include the feasible-paths option. Feasible is a
superset of active path. For example, if you have a BGP session where you receive a route advertisement
and you accept it (but it is not active, because there's some other route with better preference), that's
considered a feasible path.

Step 2: Verify that uRPF strict mode is enabled on all internal interfaces. The absence of the mode
loose statement defaults to strict mode. The configuration should look similar to the following:

interfaces {
so-0/0/0 {
unit 0 {
family inet {
rpf-check;
}
}
}
}

Step 3: If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface.
However, when a packet is not accepted on an interface, unicast RPF counts the packet and may send it to
an optional fail-filter. You can define the fail-filter to perform any operation, including accepting,
rejecting, logging, sampling, or policing. Hence, if a fail-filter was defined as shown in the below, verify
that it does not accept the packet. The configuration should look similar to the following:

interfaces {
so-0/0/0 {
unit 0 {
family inet {
rpf-check fail-filter rpf-fail;
}
}
}
}

firewall {
filter rpf-fail {
term 1 {
then {
log;
reject;
}
}
}
}

ACL Example:
[edit interfaces]
fe-2/0/10 {
description "downstream link to our network”;
unit 0 {
family inet {
filter {
input egress-filter;
}
address 199.36.90.1/24;
}
}
}
}

[edit firewall]
family inet {
filter egress-filter {
term term-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term ext-DNS {
from {
source-address {
201.111.2.130/32;
}
protocol udp;
source-port 53;
}
then accept;
}
}
term http-ftp {
from {
source-address {
201.111.2.0/24;
}
protocol tcp;
destination-port [20 21 80 443 ];
}
then accept;
}
}
.
.
.
term default-action {
then {
syslog;
discard;
}
}
}
}

Fix Text (F-3189r5_fix)
Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL.