[j-nsp] Filtering people pointing default

Junoguy junoguy at earthlink.net
Mon Aug 4 21:34:24 EDT 2003 

While looking in the knowledgebase, I ran across this that sounds very
similar or at least in the same path as what you are looking for:


Number: 14257 

Problem: How do I configure the automatic BGP neighbor filter to block
unwanted BGP connections? 

Solution: Beginning with JUNOS Release 5.4, you can use an apply-path to
extract IP addresses from the configuration. By using the resulting
prefix-list in a firewall, you have a universal filter that can be
easily applied to protect the router from unwanted traffic. 

Follow these steps to create a filter to block BGP traffic from all
sources other than configured neighbors. 

Create an apply-path that will automatically parse the contents of the
specified portion of the router's configuration to gather IP addresses.
The following example creates one prefix-list named bgp-allowed which
contains all the neighbor addresses, and a second prefix-list named
called local-addresses which contains all configured local-addresses: 
[edit]
rs at R0# show policy-options 
prefix-list bgp-allowed {
    apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list local-addresses {
    apply-path "interfaces <*> unit <*> family inet address <*>";
}

Verify that the apply-path is working correctly by using the display
inheritence option on the configuration-mode show command: 
[edit]
rs at R0# show policy-options prefix-list local-addresses |display
inheritance 
##
## apply-path was expanded to:
##     192.168.0.10/24; 
##     192.168.5.10/24; 
##     192.168.4.10/24; 
##     192.169.3.10/24; 
##     10.0.0.10/32; 
##
apply-path "interfaces <*> unit <*> family inet address <*>";

Next, create a firewall filter that accepts BGP traffic (identified by
protocol and port) between only the listed addresses (in this case, the
apply-paths local-addresses and bgp-allow), and which drops all other
BGP traffic directed to the local addresses. 
[edit]
rs at R0# show firewall          
family inet {
    filter local-secure {
## allow BGP if between valid sorce- and destination-addresses
        term 1 {
            from {
                source-prefix-list {
                    bgp-allowed;
                }
                destination-prefix-list {
                    local-addresses;
                }
                protocol tcp;
                port bgp;
            }
            then accept;
        }
## drop all other bgp traffic sent to a local address 
        term 2 {
            from {
                destination-prefix-list {
                    local-addresses;
                }
                protocol tcp;
                port bgp;
            }
            then {
                reject;
            }
        }
## Allow all other traffic
        term 3 {
            then accept;
        }
    }
}


Apply the filter as an input filter to the desired interfaces. Add more
firewall terms as necessary to allow or deny other traffic. 



Mario



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Richard A
Steenbergen
Sent: Friday, August 01, 2003 11:19 PM
To: Jared Mauch
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Filtering people pointing default


On Fri, Aug 01, 2003 at 08:57:26PM -0400, Jared Mauch wrote:
> On Fri, Aug 01, 2003 at 08:49:10PM -0400, Richard A Steenbergen wrote:
> > [...] The usefulness of such a
> > feature knows no bounds in my eyes...
> 
> 	Juniper has implemented (Q-Pic [aka QPP]) dual and
> single GE mac accounting.
> 
> 	This can be done to count packets from peers across such
multiaccess 
> media.
> 
> 	You should contact Juniper directly about 10GE or other speed 
> ethernet device support for mac accounting to get their latest plans 
> of supporting such a feature.

Ignoring the price tag of QPP GigE PICs for the moment, and without
downplaying the importance of mac accounting for capacity engineering of
peers over public exchanges, that doesn't address the issue of existing
peers sending traffic to non-authorized routes. In the past people have
done a primitive form of filtering by using dedicated border routers
which only carry customer and internal routes, with a default to
null0/discard. Call me crazy but I'd rather just fix the software. :)

> 	It would also be useful IMHO if Juniper had in their ethernet 
> interfaces the ability to log the mac address a packet came from (ala 
> cisco log-input) but that is another discussion.

That too...

-- 
Richard A Steenbergen <ras at e-gerbil.net>
http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
2CBC) _______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list