[j-nsp] Dynamic blocklists/blacklists...?

Pedro Roque Marques roque at juniper.net
Wed Aug 17 17:50:21 EDT 2005


On Wed, 2005-08-17 at 13:35 +0000, Rafal Szarecki WA/EPO wrote:
> Well IMHO it is possible to filter-out base on source IP, without dymamic changes in configuration and with BGP bases anouncment of wrong source addresses.
> And this should works for older SW/standard BGP.
> 
> 1) Write policy for forwarfing-table which classufy all prefixes with BGP community "bed-source" to source-class "source-to-discard".
> 1a)(optionaly) Write policy for forwarfing-table which classufy all prefixes with BGP community "victims" to destination-class "victims".
> 2) Write firewall-filter which match on source-class="source-to-discard" (AND optionaly destination-class="victims") with action discard.
> 3) apply filter on output direction of interfaces

Actually, you should configure the filter as an instance filter...

i.e. [routing-instance x] forwarding-options forwarding-options family
inet filter input <name>.

This gets applied after rpf/scu lookup but before destination address
lookup.

It will work on a distributed box (t-series) and is probably easier to
manage.

> 
> This is not as granular as BGP-flow.
> This consumes one of 128 avaliable source/destination-classes.
> This requires application on multiple interfaces on edge router. (mostly core facing)
> 
You can do it on a per table basis...

> But It should work. And Standard IPv4 BGP is enough.

standard bgp is not enough when:
a) You want a more-specific filter (e.g. 5 tuple).
b) You actually want to automatically validate the filters.

   i.e. the bgp flow advertisements have particular semantics in that a
filter is only accepted if it does match the unicast routing associated
w/ a prefix.

   The current scheme of propagating /32s for black-holes has no such
way to validate information. As such ISPs are very skeptical of
propagating those /32s across more that 1 hop...

   Which is fine if you have enough bandwidth to deal w/ any attack that
can be thrown at you... less optimal for people managing smaller size
outfits.

   Pedro.


More information about the juniper-nsp mailing list