[j-nsp] TTL value check

Andre Gironda andre at operations.net
Mon Mar 3 09:56:26 EST 2003


I believe this has already been a feature request and likely discussed
by Jnpr's eng team.  Hence the aforementioned cynicism.

It's interesting that you can filter on many things inside the IP header
and TCP header except the things that real production networks would use.

Being able to get at the following three fields would be optimal for most
network operators: IP TTL, TCP options (particularly invalid MSS options),
and TCP window size.  If an implementation such as RAS described cannot
be fully realized, then maybe at least these three fields can be matched.

dre

On Mon, Mar 03, 2003 at 08:51:53AM -0800, Paul Goyette wrote:
> Thanks for the suggestions - we'll discuss this with engineering.
> 
> On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> > I searched on jnpr web site and didn't find anything relevant :
> >
> http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> > l/firewall-config11.html
> 
> Filtering packets by TTL would be useful, therefore it is currently not
> supported.
> 
> Another thing that is not supported, a simple match criteria where you
> specify the offset into the packet, the size of the word (8, 16, and 32
> bit would be plenty fine), and the value you want to match. This would be
> too useful in filtering DoS, so of course it can't be done.
> 
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras


More information about the juniper-nsp mailing list