Add support for unicast Reverse Path Forwarding (URPF) check.

[rszarecki]

Change Scope

• This change introduces support for uRPF - the security techniqyes protecting against source addrress spoofing - described in:
  • rfc2827.
  • rfc3704.
  • rfc5635.
  • rfc8704
    The uRPF Protocol-independent, network-instance functionality with per ingress-interface configuration. This change adds following tree:

module: openconfig-interfaces
  +--rw interfaces
     +--rw interface* [name]
        +--rw subinterfaces
           +--rw subinterface* [index]
              +--rw oc-ip:ipv4
               | +--rw oc-ip:urpf
               |    +--rw oc-ip:config
               |    |  +--rw oc-ip:enabled?               boolean
               |    |  +--rw oc-ip:mode?                  oc-ni-types:urpf-mode
               |    |  +--rw oc-ip:allow-default-route?   boolean
               |    |  +--rw oc-ip:allow-drop-next-hop?   boolean
               |    |  +--rw oc-ip:allow-feasible-path?   boolean
               |    +--rw oc-ip:state
               |       +--rw oc-ip:enabled?               boolean
               |       +--rw oc-ip:mode?                  oc-ni-types:urpf-mode
               |       +--rw oc-ip:allow-default-route?   boolean
               |       +--rw oc-ip:allow-drop-next-hop?   boolean
               |       +--rw oc-ip:allow-feasible-path?   boolean
               |       +--rw oc-ip:counters
               |          +--rw oc-ip:urpf-drop-pkts?    oc-yang:counter64
               |          +--rw oc-ip:urpf-drop-bytes?   oc-yang:counter64
              +--rw oc-ip:ipv6
                 +--rw oc-ip:urpf
                    +--rw oc-ip:config
                    |  +--rw oc-ip:enabled?               boolean
                    |  +--rw oc-ip:mode?                  oc-ni-types:urpf-mode
                    |  +--rw oc-ip:allow-default-route?   boolean
                    |  +--rw oc-ip:allow-drop-next-hop?   boolean
                    |  +--rw oc-ip:allow-feasible-path?   boolean
                    +--rw oc-ip:state
                       +--rw oc-ip:enabled?               boolean
                       +--rw oc-ip:mode?                  oc-ni-types:urpf-mode
                       +--rw oc-ip:allow-default-route?   boolean
                       +--rw oc-ip:allow-drop-next-hop?   boolean
                       +--rw oc-ip:allow-feasible-path?   boolean
                       +--rw oc-ip:counters
                          +--rw oc-ip:urpf-drop-pkts?    oc-yang:counter64
                          +--rw oc-ip:urpf-drop-bytes?   oc-yang:counter64

• Change is backward compatible

Platform Implementations

• Juniper JUNOS: Understanding Unicast RPF (Routers)
• Cisco IOS-XR: Implementing URPF
• Arista EoS: Unicast Reverse Path Forwarding (uRPF)

[dplore]

/gcbrun

[OpenConfigBot]

No major YANG version changes in commit ad19daa

[dplore]

/gcbrun

[dplore]

Here and throughout, we have an OC bias for new models against specifying defaults, unless this is defined by RFC. I recommend we remove the default and require the client to specify the node they want.

[dplore]

/gcbrun

[dplore]

/gcbrun

[dplore]

In OC operators discussion it was observed this option is rarely supported so Rafal thought it reasonable to have a default.

However, IMO, it is less confusing and more consistent if we don't assign a default here and stick to a policy of only defining defaults when the feature specification requires a default.

[dplore]

nit: I recommend moving the reference statement from the counters up to the grouping here.

[dplore]

  when "../enabled = 'true'" {

[dplore]

Suggested change

	"The URPF in STRICT mode requires packet source address to LPM some route
	in FIB, AND next-hop of this route must be interface packet was
	received on.
	The URPF in LOOSE mode requires packet source address to LPM some route
	in FIB.
	This leaf is irrelevalnt and should be ignored if URPF is not enabled.";
	"The URPF in STRICT mode requires the ingress packet source address
	to have a longest prefix match (LPM) for a route in the forwarding table
	with a next-hop of the interface the packet was received on.
	The URPF in LOOSE mode requires the ingress packet source address to
	LPM a route in the forwarding table, but may have any next-hop.
	This leaf is only valid if URPF is enabled.";

[dplore]

Suggested change

	"If set to false, and packets source address LPM the default route -
	0.0.0.0/0 or ::/0 - URPF fails and packet is discarded, as if it would not
	LPM any route.";
	"If set to false, and the packet's source address LPMs to the
	default route (0.0.0.0/0 or ::/0) then the URPF check fails and the
	packet is discarded.";

[dplore]

Suggested change

	"If set to false, and packets source address LPM the route with DROP
	next-hop URPF fails and packet is discarded, as if it would not
	LPM any route.";
	"If set to false, and the packet's source address LPMs to a route
	with DROP as the next-hop, then the URPF check fails and the packet
	is discarded.";

[dplore]

I'm not sure I understand this description completely.

If the source address LPM matches an entry in a routing protocol RIB (BGP local RIB or ISIS RIB), but not in the forwarding table, it should pass the URPF check and forwarded? Is that that intention?

[rszarecki]

No. Let say we have 7 BGP paths, equally good, but since multipath is DISABLED only one is the best. So local speaker install only one if it as best and forwarding TOWARD given A address. However any of peer speaker can forward traffic sourced at A toward destination Z. Feasible path allows to accept traffic coming from A from any of peers, not only one.

…

-------------- Rafal Szarecki

On Tue, May 13, 2025 at 12:03 Darren Loher ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > + type boolean; + description + "If set to false, and packets source address LPM the default route - + 0.0.0.0/0 or ::/0 - URPF fails and packet is discarded, as if it would not + LPM any route."; + } + leaf allow-drop-next-hop { + type boolean; + description + "If set to false, and packets source address LPM the route with DROP + next-hop URPF fails and packet is discarded, as if it would not + LPM any route."; + } + leaf allow-feasible-path { + type boolean; + default false; In OC operators discussion it was observed this option is rarely supported so Rafal thought it reasonable to have a default. However, IMO, it is less confusing and more consistent if we don't assign a default here and stick to a policy of only defining defaults when the feature specification requires a default. ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > @@ -1224,6 +1246,79 @@ revision "2023-06-30" { } } + grouping urpf-config { + description + "Grouping configuration coniguration of URPF"; nit: I recommend moving the reference statement from the counters up to the grouping here. ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > @@ -1224,6 +1246,79 @@ revision "2023-06-30" { } } + grouping urpf-config { + description + "Grouping configuration coniguration of URPF"; + leaf enabled { + type boolean; + default false; + description + "Turns ON/OFF packet's source address verification against content of + FIB. This is one of anti-spoofing protection techniques."; + } + leaf mode { + type urpf-mode; + description when "../enabled = 'true'" { ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > + "The URPF in STRICT mode requires packet source address to LPM some route + in FIB, AND next-hop of this route must be interface packet was + received on. + The URPF in LOOSE mode requires packet source address to LPM some route + in FIB. + This leaf is irrelevalnt and should be ignored if URPF is not enabled."; ⬇️ Suggested change - "The URPF in STRICT mode requires packet source address to LPM some route - in FIB, AND next-hop of this route must be interface packet was - received on. - The URPF in LOOSE mode requires packet source address to LPM some route - in FIB. - This leaf is irrelevalnt and should be ignored if URPF is not enabled."; + "The URPF in STRICT mode requires the ingress packet source address + to have a longest prefix match (LPM) for a route in the forwarding table + with a next-hop of the interface the packet was received on. + The URPF in LOOSE mode requires the ingress packet source address to + LPM a route in the forwarding table, but may have any next-hop. + This leaf is only valid if URPF is enabled."; ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > + "If set to false, and packets source address LPM the default route - + 0.0.0.0/0 or ::/0 - URPF fails and packet is discarded, as if it would not + LPM any route."; ⬇️ Suggested change - "If set to false, and packets source address LPM the default route - - 0.0.0.0/0 or ::/0 - URPF fails and packet is discarded, as if it would not - LPM any route."; + "If set to false, and the packet's source address LPMs to the + default route (0.0.0.0/0 or ::/0) then the URPF check fails and the + packet is discarded."; ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > + "If set to false, and packets source address LPM the route with DROP + next-hop URPF fails and packet is discarded, as if it would not + LPM any route."; ⬇️ Suggested change - "If set to false, and packets source address LPM the route with DROP - next-hop URPF fails and packet is discarded, as if it would not - LPM any route."; + "If set to false, and the packet's source address LPMs to a route + with DROP as the next-hop, then the URPF check fails and the packet + is discarded."; ------------------------------ In release/models/interfaces/openconfig-if-ip.yang <#1307 (comment)>: > + "The routing system may select subset of equally-good path as result of + tie-break (e.g. BGP RID) or ECMP width limits. If set to true, packet + are accepted if source address LPM to any equally-good path, even if it + is not selected for forwading."; I'm not sure I understand this description completely. If the source address LPM matches an entry in a routing protocol RIB (BGP local RIB or ISIS RIB), but not in the forwarding table, it should pass the URPF check and forwarded? Is that that intention? — Reply to this email directly, view it on GitHub <#1307 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALDSOVKJNZ5HJ3F7UHHZSWL26I6Y5AVCNFSM6AAAAAB47L76XKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDQMZXG44DOOJTGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[dplore]

Suggested change

	"The routing system may select subset of equally-good path as result of
	tie-break (e.g. BGP RID) or ECMP width limits. If set to true, packet
	are accepted if source address LPM to any equally-good path, even if it
	is not selected for forwading.";
	"The routing system may select subset of all learned paths. For example,
	BGP without multi-path enabled will install only one of many possible ECMP
	paths into the FIB or ECMP multipath limits may select only a subset of all
	available paths. If set to true, the URPF check passes if the source address
	LPMs to any path in the RIB, even if it is not selected for forwarding in the
	FIB.";

Thanks for the more detailed explanation. I suggest adding this wording to
make the intent even more clear.