[j-nsp] TTL value check

Richard A Steenbergen ras at e-gerbil.net
Mon Mar 3 11:28:53 EST 2003


On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> Hi,
> I'm trying to figure out how a Juniper can check 
> a TTL value in the "firewall filter from" statement.
> (in order to test the feasibility of some recommandations 
> from the BGP TTL Security Hack (BTSH) IETF draft).
> http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt
> 
> I searched on jnpr web site and didn't find anything relevant :
> http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> l/firewall-config11.html

Filtering packets by TTL would be useful, therefore it is currently not 
supported.

Another thing that is not supported, a simple match criteria where you
specify the offset into the packet, the size of the word (8, 16, and 32
bit would be plenty fine), and the value you want to match. This would be
too useful in filtering DoS, so of course it can't be done.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list