[j-nsp] TTL value check

Stephen Gill gillsr at yahoo.com
Mon Mar 3 10:45:55 EST 2003


Barring the cynicism I'd agree :D.

-- steve

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Richard A
Steenbergen
Sent: Monday, March 03, 2003 10:29 AM
To: Nicolas Fevrier
Cc: juniper at groupstudy.com; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] TTL value check

On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> Hi,
> I'm trying to figure out how a Juniper can check 
> a TTL value in the "firewall filter from" statement.
> (in order to test the feasibility of some recommandations 
> from the BGP TTL Security Hack (BTSH) IETF draft).
> http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt
> 
> I searched on jnpr web site and didn't find anything relevant :
>
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy
/htm
> l/firewall-config11.html

Filtering packets by TTL would be useful, therefore it is currently not 
supported.

Another thing that is not supported, a simple match criteria where you
specify the offset into the packet, the size of the word (8, 16, and 32
bit would be plenty fine), and the value you want to match. This would
be
too useful in filtering DoS, so of course it can't be done.

-- 
Richard A Steenbergen <ras at e-gerbil.net>
http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list