Reply
Regular Member
Posts: 514
Registered: ‎03-03-2012
Kudos: 137
Solutions: 12
Accepted Solution

source-validation enable and default route?

How does source-validation enable handle the interface that provides the default route?

Are all sources allowed or are martians (RFC1918/multicast etc) blocked anyways?

 

Thanks.


Accepted Solutions
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

I think it depends on which you choose:

 

ubnt@ubnt# set firewall source-validation ?
Possible completions:
  strict	Enable Strict Reverse Path Forwarding as defined in RFC3704
  loose		Enable Loose Reverse Path Forwarding as defined in RFC3704
  disable	No source validation
      
[edit]

 Loose means any route (even default), while strict must match the inbound interface.  Strict can be a problem is you have asymetric routing or multiple paths.

EdgeMAX Router Software Development

View solution in original post


All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

I think it depends on which you choose:

 

ubnt@ubnt# set firewall source-validation ?
Possible completions:
  strict	Enable Strict Reverse Path Forwarding as defined in RFC3704
  loose		Enable Loose Reverse Path Forwarding as defined in RFC3704
  disable	No source validation
      
[edit]

 Loose means any route (even default), while strict must match the inbound interface.  Strict can be a problem is you have asymetric routing or multiple paths.

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

[ Edited ]

While looking for how to handle multicast traffic, I came across this thread. It seems that (incoming) multicast traffic can be blocked if strict reverse path filtering is enabled, although I don't completely understand yet why. Is this because traffic from 224.0.0.0/4 is different from what is expected on the interfaces? Would it be solved using loose reverse path filtering?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?


@rjh2805 wrote:

While looking for how to handle multicast traffic, I came across this thread. It seems that (incoming) multicast traffic can be blocked if strict reverse path filtering is enabled, although I don't completely understand yet why. Is this because traffic from 224.0.0./4 is different from what is expected on the interfaces? Would it be solved using loose reverse path filtering?


source-validation is on the source address while multicast is a destination address.

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

Thanks for your quick reply, Stig. Just for my own understanding: do you understand then what is exactly the problem described in this blog post? Although I completely understand your answer, it seems that the issue raised there seems to be a non-issue.

Any help would be greatly appreciated!

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

[ Edited ]

@rjh2805 wrote:

Thanks for your quick reply, Stig. Just for my own understanding: do you understand then what is exactly the problem described in this blog post? Although I completely understand your answer, it seems that the issue raised there seems to be a non-issue.


Well the only thing I can think of is that he mentioned eth0, eth1 and disabling rpf check on ppp0.  I've heard of some IPTV implementations that the real "wan" interface is authenticated over pppoe, but that IPTV multicast comes on the parent interface instead of the pppoe.  So lets say the multicast packet comes in eth0 with source address 1.1.1.1 and destination 224.0.0.1.  The rpf check for 1.1.1.1 says that to get there you use the default route on pppoe, but since it came in on eth0 it gets dropped.

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

Just a follow-up on this. I currently have source-validation disabled in EdgeOS, but found out that 

cat /proc/sys/net/ipv4/conf/eth0.4/rp_filter

 returns '1'. So actually it seems that RPF is still somehow enabled. Is this correct? If I would like to force it to be disabled, so I do something like

echo 0 > /proc/sys/net/ipv4/conf/eth0.4/rp_filter

 How do I make the settings take effect? If I understood correctly, I somehow have to restart the networking stack.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

Post your config.

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

Here are the relevant parts, I guess. Please let me know if you need more.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name WAN_LAN_IPTV {
        default-action drop
        description "WAN to LAN (IPTV)"
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name WAN_LOCAL_IPTV {
        default-action drop
        description "WAN to router (IPTV)"
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            protocol igmp
        }
        rule 3 {
            action accept
            destination {
                address 224.0.0.0/4
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description WAN
        duplex auto
        poe {
            output off
        }
        speed auto
        vif 4 {
            address dhcp
            description IPTV
            firewall {
                in {
                    name WAN_LAN_IPTV
                }
                local {
                    name WAN_LOCAL_IPTV
                }
            }
        }
    }
}

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

Well it's no supposed to enabled by default, so I'm not sure how it got disabled but you could probably do:

configure
set interfaces ethernet eth0 vif 4 ip source-validation disable
commit
save
exit

 

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

Do you mean that it's a bug that rp_filter is set to '1' if source-validation is not set to strict or loose?

Just added source-validation disable to the config of eth0.4, as you suggested, but I still see the following:

admin@ubnt-er-poe# show interfaces ethernet eth0 vif 4
 address dhcp
 description IPTV
 firewall {
     in {
         name WAN_LAN_IPTV
     }
     local {
         name WAN_LOCAL_IPTV
     }
 }
+ip {
+    source-validation disable
+}
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# exit
Warning: configuration changes have not been saved.
exit
admin@ubnt-er-poe:~$ cat /proc/sys/net/ipv4/conf/eth0.4/rp_filter
1
admin@ubnt-er-poe:~$

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?


@rjh2805 wrote:

Do you mean that it's a bug that rp_filter is set to '1' if source-validation is not set to strict or loose?

Just added source-validation disable to the config of eth0.4, as you suggested, but I still see the following:

Hmm, that's odd.  That should not be enable by default.  Are you running some outside program that could be setting those values?

EdgeMAX Router Software Development
Highlighted
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?


@UBNT-stig wrote:

@rjh2805 wrote:

Do you mean that it's a bug that rp_filter is set to '1' if source-validation is not set to strict or loose?

Just added source-validation disable to the config of eth0.4, as you suggested, but I still see the following:

Hmm, that's odd.  That should not be enable by default.  Are you running some outside program that could be setting those values?


Not that I'm aware of. I checked some other interfaces, and they all have rp_filter set to '1'. I did some more testing (this time on eth0.34):

admin@ubnt-er-poe# set interfaces ethernet eth0 vif 34 ip source-validation disable
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# cat /proc/sys/net/ipv4/conf/eth0.34/rp_filter
1
[edit]
admin@ubnt-er-poe# load
Loading configuration from '/config/config.boot'...

Load complete.  Use 'commit' to make changes active.
[edit]
admin@ubnt-er-poe# compare
[edit interfaces ethernet eth0 vif 34]
-ip {
-    source-validation disable
-}
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# cat /proc/sys/net/ipv4/conf/eth0.34/rp_filter
0
[edit]
admin@ubnt-er-poe# set interfaces ethernet eth0 vif 34 ip source-validation disable
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# cat /proc/sys/net/ipv4/conf/eth0.34/rp_filter
0
[edit]
admin@ubnt-er-poe# delete interfaces ethernet eth0 vif 34 ip source-validation
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# cat /proc/sys/net/ipv4/conf/eth0.34/rp_filter
0
[edit]
admin@ubnt-er-poe# load
Loading configuration from '/config/config.boot'...

Load complete.  Use 'commit' to make changes active.
[edit]
admin@ubnt-er-poe# compare
[edit interfaces ethernet eth0 vif 34]
-ip {
-}
[edit]
admin@ubnt-er-poe# commit
[edit]
admin@ubnt-er-poe# cat /proc/sys/net/ipv4/conf/eth0.34/rp_filter
0
[edit]
admin@ubnt-er-poe#

 So my conclusion now is that rp_filter is set to '1' by default, and that disabling it for the first time doesn't help. Then, when I remove the 'disable' config again and commit that, it's actually disabled. I can however only produce this behavior once per interface.

Do you need some more information for debugging?

Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

By the way, I realized that up to some two weeks ago, I used source-validation loose in my firewall config. At that point in time, I didn't know I could configure this per interface. Can it be the case that the bug is caused by the fact that source validation can be configured in two places, i.e., in firewall and interfaces? It would be nice to somehow find out what is causing the inconsistency between CLI and file contents, as unpredicable behavior is the result.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?

Well I did a bunch of testing of both loose and strict setting and as long as I delete the source-validation node it goes back to zero.  However I did find that if I have either strict or loose and then change it to disable, then the value does not go back to zero.  I'll look into that.

EdgeMAX Router Software Development
Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

Thanks for following up on that. I'm curious about your findings and I think that the fact that I used source-validation loose before causes the issue in my setup.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3126
Solutions: 945
Contributions: 16

Re: source-validation enable and default route?


@rjh2805 wrote:

Thanks for following up on that. I'm curious about your findings and I think that the fact that I used source-validation loose before causes the issue in my setup.


Well it looks like the kernel behavior for rp_filter has changed.  There is a comment in our code that says:

# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to
# a value greater than 0 to do source validation on the interface

 However the sysctl notes for kernel 3.4.27 (https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/networking/i... say something different:

rp_filter - INTEGER
	0 - No source validation.
	1 - Strict mode as defined in RFC3704 Strict Reverse Path
	    Each incoming packet is tested against the FIB and if the interface
	    is not the best reverse path the packet check will fail.
	    By default failed packets are discarded.
	2 - Loose mode as defined in RFC3704 Loose Reverse Path
	    Each incoming packet's source address is also tested against the FIB
	    and if the source address is not reachable via any interface
	    the packet check will fail.

	Current recommended practice in RFC3704 is to enable strict mode
	to prevent IP spoofing from DDos attacks. If using asymmetric routing
	or other complicated routing, then loose mode is recommended.

	The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.

	Default value is 0. Note that some distributions enable it
	in startup scripts.

 So it looks to me like the per-interface values shouldn't mess with the "all" values, but currently it does.

EdgeMAX Router Software Development
Member
Posts: 115
Registered: ‎05-13-2013
Kudos: 181
Solutions: 12

Re: source-validation enable and default route?

Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 292
Solutions: 13

Re: source-validation enable and default route?

What will be the upcoming steps with regard to this issue? It would be nice if this could be fixed rather soon, since the issue arises every time the router is rebooted, for example. I would be happy to test it for youSmiley Happy

Reply