[j-nsp] Matching TCP flags in IPv6 firewall filters
Daniel Roesen
dr at cluenet.de
Sat Apr 17 11:12:43 EDT 2004
Hi,
I'm unable to find any possibility to match for TCP flags in IPv6
filters. Thus, it's impossible to e.g. police SYN/FIN/RST packets.
The only reference I've found is a thread on j-nsp from Dec 2002 which
indicates that matching on TCP flags wasn't supported back then. I
can't believe that this is still the case?!?
Is this a hardware limitation, or can we expect this to be implemented
soon[tm]?
Otherwise, it's quite difficult to impossible to protect the control
plane on IPv6 level for BGP/LDP/SSH/other-TCP-based-services.
Best regards,
Daniel
More information about the juniper-nsp
mailing list