[j-nsp] Question about loose-mode RPF
Rafal Szarecki (WA/EPO)
rafal.szarecki at ericsson.com
Wed Oct 19 05:36:21 EDT 2005
Adam,
There was discussion in this topic fe weeks ago on list.
Juniper tread route to discard as any other route when uRPF is executed - opposed to Cisco. Cisco tread routes to null0 as non-existing when uRPF is executed. IMHO this is bed because more exeption like this makes enineers life harder.
Generally Juniper do much better think - Flow route specification as per
http://professional.juniper.net/roque/draft-marques-idr-flow-spec-02.txt
This is common draft of Juniper, Cisco, Arbor and NTT/verio
You probably can also find this on IETF site also...
see topic "low route" with BGP example.
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Chris Adams
> Sent: Wednesday, October 19, 2005 1:27 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Question about loose-mode RPF
>
>
> We recently replaced a couple of our core Cisco routers with
> a Juniper,
> and I'm still working out a few things that are different.
>
> One thing I've noticed is that loose-mode RPF doesn't discount discard
> routes. On our Ciscos, routing something to Null0 means that
> loose uRPF
> drops traffic from that block. The Juniper doesn't appear to do that
> for discard routes.
>
> The Cisco behavior is useful for us; when we get a "problem"
> IP (such as
> an SSH scanner), we can null route the IP and the inbound traffic is
> dropped as well. I had been planning on setting up an
> internal dynamic
> blocking server (using BGP to propagate routes for bad IPs with a
> community to null-route the routes).
>
> Is there a way to get similar behavior on a Juniper?
>
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list