[j-nsp] Dynamic blocklists/blacklists...?

Jeff Aitken jaitken at aitken.com
Tue Aug 16 15:17:30 EDT 2005

On Tue, Aug 16, 2005 at 06:16:50PM +0000, Chris Morrow wrote:
> If you are trying to implement dynamic blocklists why not just have 
> bgpd/quagga send you routes with a nexthop you are blackholing? then 
> urpf-loose your interfaces on devices you want to drop said traffic on?

Unless I'm mistaken, this won't work on Juniper routers due to a
difference in their implementation of uRPF as compared to the Cisco
implementation.  On a Cisco, if the route back to the source address
of an incoming packet recurses to null0, the packet is considered
to have failed the uRPF check and the packet is dropped.  On a
Juniper, the null0 route is treated as a "valid" route for uRPF
purposes, and the packet is forwarded.

I'm sure Pedro will correct me if I'm wrong. :-)


More information about the juniper-nsp mailing list