[j-nsp] Secure JunOS Template questions
Stephen Gill
gillsr at yahoo.com
Mon Oct 13 12:56:17 EDT 2003
Hi Mike,
There are several ways of accomplishing the same task. In this
particular case the reason for the static bogon entries is because we
want to blackhole any traffic destined to those networks. Martians take
care of keeping the route from entering the routing table but they don't
protect you if you have a default route, or any aggregate routes
configured that would encompass the bogons. This is just an added
measure to ensure traffic doesn't get routed out the default path. This
also disables the sending of ICMP unreachables for those networks.
The example in the JUNOS BGP Template,
http://www.qorbit.net/documents/junos-bgp-template.htm,
actually incorporates martian routes, but still leaves the less specific
discard routes in the routing table. A bit more of an explanation can
be found in the Application Note here:
http://www.qorbit.net/documents/junos-bgp-appnote.htm
"If your network does not contain a 0/0 default route and contains the
entire Internet routing table, the static discard routes below are not
necessary. Instead, the martian addresses should be replaced with the
"orlonger" keyword which will disallow these networks from entering the
routing table. Static discard routes are used to remove all ambiguity
when a 0/0 route exists. "
Of course in newer versions of JUNOS you have the option of using
Unicast RPF which helps in a lot of this. Future versions of the
template will incorporate unicast RPF as an option.
--
Cheers,
Stephen Gill
http://www.qorbit.net
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
mikef at thruport.com
Sent: Monday, October 13, 2003 11:23 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Secure JunOS Template questions
Hello,
I was looking at this example "Secure" template at:
http://www.qorbit.net/documents/junos-template.pdf
And just had a question about the Static bogon entries. If you enter
the
routes as martians doesn't JunOS blackhole the routes anyway? Is there
any
reason they added them as Static discards? Souldn't these be added in a
firewall
policy to block traffic also? Thanks ahead of time.
-Mike
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list