Routing Policies and Firewall Filters

12. Unicast reverse-path-forwarding (RPF)

Unicast Reverse Path Forwarding (RPF) is a technique used to prevent certain types of network attacks, such as IP spoofing. RPF helps to ensure that a packet received on an interface is from the source address that it claims to be from, and that the source address is reachable through the same interface that the packet was received on.

RPF works by checking the source address of incoming packets against the routing table. If the source address of the packet is not reachable through the same interface that the packet was received on, the packet is considered to be suspicious and is discarded.

In Junos, RPF can be enabled on a per-interface basis using the unicast-reverse-path configuration statement. For example:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
                unicast-reverse-path;
            }
        }
    }
}

In this example, unicast RPF is enabled on the ge-0/0/0 interface. This means that any incoming packets on this interface will be checked against the routing table to ensure that their source address is reachable through this interface. If the source address is not reachable through this interface, the packet will be discarded.

RPF provides an effective means of preventing IP spoofing attacks and helping to ensure the security and stability of the network.