[j-nsp] filter on TCP seqnum

Paul Goyette pgoyette at juniper.net
Tue Jun 22 13:24:03 EDT 2004


I've just checked with our engineering folks, and the answer is....


We cannot do this today.  (I was wrong earlier.)

It would not be difficult to extend one of the existing Application
Layer Gateways to provide generic packet inspection and matching.
But the work has not been done, and although it is on the list of
things to do, it is not at the top of the list because there has
been little or no customer demand.  Note that Customer Demand needs
to be funnelled through Juniper's Enahncement Request process, and
that means dealing with your Juniper Sales team.  Requests voiced
on forums such as this list are heard, but carry little weight in 
the feature development prioritization process.

-----Original Message-----
From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
Sent: Tuesday, June 22, 2004 10:15 AM
To: Paul Goyette
Cc: Jeff Wheeler; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] filter on TCP seqnum


On Tue, Jun 22, 2004 at 09:50:50AM -0700, Paul Goyette wrote:
> I am by no means an expert on the configuration of the module.
> 
> The documentation should be of some help, or our JTAC folks can
> help you set up the appropriate "service-set".

I just took a good skim through the documentation and couldn't find
anything more on-topic than stateful firewalling, automatic anomaly 
checking, and syn cookies through the IDS service (does anyone have any 
performance numbers on exactly how big a flood this will combat btw?)

If anyone does find a way to make an AS pic do simple byte-match filtering
on packet headers fields not covered by basic firewall commands, I think
we'd all like to know about it. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



More information about the juniper-nsp mailing list