Default is to valid next-hop. This definitely helps as the generate route was option I had previously not explored.
> --------------------------- > Date: Fri, 28 Feb 2014 17:38:58 -0500 > From: Chuck Anderson <c...@wpi.edu> > To: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] urpf > Message-ID: <20140228223857.ge9...@angus.ind.wpi.edu> > Content-Type: text/plain; charset=utf-8 >> On Fri, Feb 28, 2014 at 03:03:57PM -0700, thomas.bowlby wrote: >> Installing some juniper routers as borders and need specifically RTBH >> functionality. >> This was accomplished by upgrading code to > 12.1 (specifically 12.3R4.5) >> and including >> 'set forwarding-options rpf-loose-mode-discard family inet' >> 'set forwarding-options rpf-loose-mode-discard family inet6' >> >> Issue running up against is the current need to have a default (although as >> of today we receive full-tables) and if source is not in table and hits the >> default route is discarded. >> >> I don?t see a option similar to other vendor for allow-default. >> current solution seems to include two different statics for 0.0.0.0/1 and >> 128.0.0.0/1. >> other options I?m unaware of? > > What does your default route look like? Is it a static default with a > reject next hop? Can you instead use a generate route and does that > help? Something like this: > > set routing-options rib inet6.0 generate route ::/0 policy DEFAULT-CONTRIB > set routing-options generate route 0.0.0.0/0 policy DEFAULT-CONTRIB > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 128.63.2.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.5.4.0/23 orlonger > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.33.4.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.36.148.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.58.128.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.112.36.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.203.230.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 192.228.79.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 193.0.14.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 198.41.0.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 199.7.83.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 199.7.91.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > from route-filter 202.12.27.0/24 exact > set policy-options policy-statement DEFAULT-CONTRIB term ROOT-SERVERS.NET > then accept > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:500:1::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:500:2d::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:500:2f::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:500:3::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:503:ba3e::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:503:c27::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:7fd::/48 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:7fe::/33 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > from route-filter 2001:dc3::/32 exact > set policy-options policy-statement DEFAULT-CONTRIB term V6-ROOT-SERVERS.NET > then accept > set policy-options policy-statement DEFAULT-CONTRIB term REJECT then reject > > > Another idea might be to filter the default route from the forwarding > table to see if that prevents uRPF discard mode from triggering: > > set routing-options forwarding-table export REJECT-DEFAULT > set policy-options policy-statement REJECT-DEFAULT from route-filter > 0.0.0.0/0 exact > set policy-options policy-statement REJECT-DEFAULT then reject > > > ------------------------------ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp