[j-nsp] Dynamic blocklists/blacklists...?
Jeff Aitken
jaitken at aitken.com
Tue Aug 16 15:17:30 EDT 2005
On Tue, Aug 16, 2005 at 06:16:50PM +0000, Chris Morrow wrote:
> If you are trying to implement dynamic blocklists why not just have
> bgpd/quagga send you routes with a nexthop you are blackholing? then
> urpf-loose your interfaces on devices you want to drop said traffic on?
Unless I'm mistaken, this won't work on Juniper routers due to a
difference in their implementation of uRPF as compared to the Cisco
implementation. On a Cisco, if the route back to the source address
of an incoming packet recurses to null0, the packet is considered
to have failed the uRPF check and the packet is dropped. On a
Juniper, the null0 route is treated as a "valid" route for uRPF
purposes, and the packet is forwarded.
I'm sure Pedro will correct me if I'm wrong. :-)
--Jeff
More information about the juniper-nsp
mailing list