[j-nsp] Dynamic blocklists/blacklists...?
Chris Morrow
morrowc at ops-netman.net
Tue Aug 16 15:30:10 EDT 2005
On Tue, 16 Aug 2005, Jeff Aitken wrote:
> On Tue, Aug 16, 2005 at 06:16:50PM +0000, Chris Morrow wrote:
>> If you are trying to implement dynamic blocklists why not just have
>> bgpd/quagga send you routes with a nexthop you are blackholing? then
>> urpf-loose your interfaces on devices you want to drop said traffic on?
>
> Unless I'm mistaken, this won't work on Juniper routers due to a
> difference in their implementation of uRPF as compared to the Cisco
> implementation. On a Cisco, if the route back to the source address
> of an incoming packet recurses to null0, the packet is considered
> to have failed the uRPF check and the packet is dropped. On a
> Juniper, the null0 route is treated as a "valid" route for uRPF
> purposes, and the packet is forwarded.
damn :( well, another option:
1) setup dsc0 interface with /30 address
2) setup dsc0 interface with output acl content:
filter drop-all-count {
term deny-count {
then count deny-dsc0 discard;
}
}
3) reset nexthop or set nexthop in quagga/bgpd to /30 far-end
be happy, don't do 'dynamic' filters....
-Chris
(thanks to brian gemberling and me, somewhat, for the dsc0 interface)
More information about the juniper-nsp
mailing list