[j-nsp] Dynamic blocklists/blacklists...?

Chris Morrow morrowc at ops-netman.net
Tue Aug 16 15:30:10 EDT 2005

On Tue, 16 Aug 2005, Jeff Aitken wrote:

> On Tue, Aug 16, 2005 at 06:16:50PM +0000, Chris Morrow wrote:
>> If you are trying to implement dynamic blocklists why not just have
>> bgpd/quagga send you routes with a nexthop you are blackholing? then
>> urpf-loose your interfaces on devices you want to drop said traffic on?
> Unless I'm mistaken, this won't work on Juniper routers due to a
> difference in their implementation of uRPF as compared to the Cisco
> implementation.  On a Cisco, if the route back to the source address
> of an incoming packet recurses to null0, the packet is considered
> to have failed the uRPF check and the packet is dropped.  On a
> Juniper, the null0 route is treated as a "valid" route for uRPF
> purposes, and the packet is forwarded.

damn :( well, another option:

1) setup dsc0 interface with /30 address
2) setup dsc0 interface with output acl content:
    filter drop-all-count {
      term deny-count {
         then count deny-dsc0 discard;

3) reset nexthop or set nexthop in quagga/bgpd to /30 far-end

be happy, don't do 'dynamic' filters....

(thanks to brian gemberling and me, somewhat, for the dsc0 interface)

More information about the juniper-nsp mailing list