[j-nsp] Dynamic blocklists/blacklists...?
Michael Loftis
mloftis at wgops.com
Tue Aug 16 15:20:13 EDT 2005
--On August 16, 2005 6:16:50 PM +0000 Chris Morrow <morrowc at ops-netman.net>
wrote:
>
> On Tue, 16 Aug 2005, Michael Loftis wrote:
>
>>
>>
>> --On August 16, 2005 10:49:02 AM -0700 Pedro Roque Marques
>> <roque at juniper.net> wrote:
>>
>>> On Tue, 2005-08-16 at 17:22 +0000, Jared Mauch wrote:
>>>
>>>>> To me....it just seems far easier to have the route server broadcast
>>>>> the data via iBGP...
>>>>
>>>> So would something like this help?
>>
>> That is exactly what I really want. :)
>>
>
> note that additions to BGP could be considered dangerous, especially wrt
> testing and validating new code releases or updates during incidents. If
> you are trying to implement dynamic blocklists why not just have
> bgpd/quagga send you routes with a nexthop you are blackholing? then
> urpf-loose your interfaces on devices you want to drop said traffic on?
Because JunOS (according to a note I received from someone at Juniper) does
not behave as Cisco/IOS does in uRPF Loose mode. IE it does not drop
inbound packets with a source that has a BGP/FIB destination of
discard/dsc. Unfortunately I don't have a lab to validate this, but I'm
inclined to say that the Juniper employee is correct. So in order to drop
traffic based on the source (which is mostly the case for me) I still have
to have 'some other method'.
And obviously changes to BGP do complicate things slightly with the
potential interop problems. JunOS already supports it in 7.3 in some
fashion (as mentioned earlier in this thread). I haven't had a chance yet
to read the docs, or to do testing...as I said I don't really have a lab so
I have to be sure of whats going on before I start to test it on production
equipment -- admittedly working with 'testing' addresses and networks on
production hardware is not the best way to go...I usually test inside of a
logical router instance in JunOS, very handy feature, not as good as having
a real lab, but it'll work for those of us who can't afford ot have an M7i
to just test with.
More information about the juniper-nsp
mailing list