Juniper security appnote + martians

From: Stephen Gill (gillsr@yahoo.com)
Date: Tue Jul 23 2002 - 17:20:14 EDT


Gents,

While scanning through Juniper's latest security app_note at
www.juniper.net I noticed a few small oddities in the appnote that might
warrant some minor changes. Most are quite minor:

1. Source quench is not listed in the allowed ICMP protocols. This
might be helpful to not overload a syslog server, netflow server, etc.
2. Telnet is listed in Telnet/SSH term but it is not allowed in the TCP
connections just prior to it. Also telnet service isn't used.
3. NTP and DNS terms refer to source-address instead of
source-prefix-list.
4. Typo: 223.255.55.0/24 is listed instead of 223.255.255.0/24
5. 10/8 and 192.168/16 are listed in martians but they are used as part
of the router config. Perhaps a comment should be made in the text that
these martians should not be included if private addressing is used.
6. It might be good to note that the Radius side will require the
vendor specific "local-user name" parameter for the local user templates
to work. Otherwise a "remote" template will be required for Radius
auth.

Additionally I'm trying to find out additional information on the
reasoning behind adding these martians to the Juniper's document:

Prefix Description
19.255.0.0/16 Ford Motor Company
129.156.0.0/16 Sun Microsystems
192.5.0.0/24 no match
192.9.200.0/24 no match
192.9.99.0/24 Sun Microsystems

I don't see a single reference to these in Cisco's IOS Essentials
http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

, Bill Manning's draft,
http://www.ietf.org/internet-drafts/draft-manning-dsua-08.txt

or Rob T's Bogon List.
http://www.cymru.com/Documents/bogon-list.html

I generally base my bogon filtering for BGP and the Secure Template at
http://www.qorbit.net/documents/junos-template.pdf
http://www.qorbit.net/documents/junos-bgp-template.pdf
http://www.qorbit.net/documents/junos-bgp-appnote.pdf

on Rob's list. What are your thoughts on filtering the above prefixes?
Are some of these worthy of being added to the master bogon list?

Now, on to some of Juniper default martians:
128.0.0.0/16
191.255.0.0/16
192.0.0.0/24
223.255.255.0/24

These prefixes seem to be based on
http://www.ietf.org/internet-drafts/draft-iana-special-ipv4-03.txt. I'm
curious what the reasoning is behind selecting these prefixes only.
Also, given that these may be allocated in the future (per the draft)
what are your thoughts on having these in Juniper's default config?
Perhaps these would be good additions to a dynamic (up-to-date) bogon
list instead of a static placement in JUNOS even though they can be
overridden if necessary.

Thoughts?
-- steve



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:36 EDT