[j-nsp] Dynamic blocklists/blacklists...?

[Phil Shafer]

Michael Loftis writes:
>Is there any BCP for maintaining automatic blocklists in JunOS?

Unfortunately not.  We've got reasonable hooks in JUNOS for automation
for need to write them up as a cohesive guide.  The general advice
would be:

(a) Use JUNOScript as the communication path to the router.  This
is our XML-based API that ships as part of JUNOS.  There are perl
modules available.  See http://www.juniper.net/support/junoscript
for details.

(b) Lock the configuration (using the JUNOScript <lock-configuration>
RPC) to ensure that automated configurations changes are not affected
by human (or other automation) changes.

(c) Use configuration groups to isolate the domain of the application
doing the change.  This allows the application of know that it can
safely replace its entire config group contents without losing human
changes.  It also allows the human to know which changes are coming
from the application, and to override them in the foreground config.

(d) Use "commit confirmed" (the <confirmed/> option to the
<commit-confirmation> RPC) to aid recovery.

>I need to
>be able to have entries added quickly and automatically, but the problem
>is any time an entry is added to say a prefix list everything gets
>HUPed...this is mostly fine except that the ntp will never sync in an env
>where anything is slightly busy since it keeps getting HUP signals.

Modern sw uses what we call a "partial" commit, so daemon's whose
configuration hasn't changed are not HUP'd.

Thanks,
 Phil