[j-nsp] JUNOS Vulnerability
Richard A Steenbergen
ras at e-gerbil.net
Thu Jan 27 11:34:00 EST 2005
On Thu, Jan 27, 2005 at 07:56:16AM +0100, Josef Buchsteiner wrote:
> Eric,
>
> in the past rpd may have asserted once you have defined a
> community but no members are configured and therefor this check
> was added. What Is the purpose to have communities defined without
> members ?
Actually there are very valid uses for a community name (or any other
policy object) defined without members, namely automation and
standardizationn.
For example, lets say that I have standardized the roughly 70% of my
config that is common across all routers, broken them up into groups for
easy management, and have a simple junoscript based system for pushing out
new code so that it is easy to manage changes across all routers.
Now, lets say that because of Juniper's oh-so-quirky way to get routes
into BGP (namely policy statements injecting the routes in from another
protocol on every export policy), I have a set of policies which handle
redistribution and origination into BGP, setting communities on those
routes which I need to announce globally. These policies can then be
easily called (or not called) in an export policy chain.
Now, as we've learned previously, because of the oh-so-quirky lack of a
bgp origination command, the only sure fire way to be able to get both
static hold-down routes and directly connected interface routs into BGP is
with a policy statement matching with route-filter, or better yet
prefix-list. So consider that you now have a set of policies which are
common to every router containing well-known standardized code, and one of
the very few things that now needs to go into the router-specific policy
section is the list of specific routes you need to originate, which is
referenced by the standarized code through a prefix-list. Sounds very
clean and efficient right?
policy-options {
apply-groups [ base-policy ... ];
prefix-list bgp-originate {
12.34.0.0/19;
}
}
12.34.0.0/19 could be a static route with a hold-down to null0, it could
be nailed to an interface as 12.34.0.1/19, etc. If you need to make this
router originate a new route globally, you just stick it in this
prefix-list (and make sure it exists somewhere of course :P) and you're in
business.
UNLESS you happen to have a router that doesnt need to originate anything
into bgp.
# set policy-options prefix-list bgp-originate
show:
prefix-list bgp-originate;
But:
'policy-options'
Policy error: bgp-originate prefix-list referenced (in term originate)
but not defined
So, what is the purpose of a prefix-list defined without any prefixes in
it? So that you can standardize the config and later put prefixes in it
easily if you need to. The exact same logic can apply to BGP communities.
Actually BGP communities are even worse, because at least in the above
example you can stick in a prefix that doesn't have a route like
1.2.3.0/24, and still make the configuration commit. You probably don't
want to be sticking random junk in your communities just to work around a
silly config parser that makes invalid assumptions.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list