[j-nsp] Juniper Commit/Op Scripts and Archive

Richard A Steenbergen ras at e-gerbil.net
Sun Jun 10 20:04:08 EDT 2007


On Fri, Jun 08, 2007 at 11:32:31PM +0100, Thomas Mangin wrote:
> Hi.
> 
> Richard, I have been using your scripts for a few weeks and can only 
> thanks you for the work you done, the max-prefix auto-tuning is really nice.
> 
> Regarding GTSM, low end Juniper do not have hardware accelerated ACL for 
> the loopback interface which mean that the firewall statement must 
> really be applied to all the interface of the router to not risk a DOS. 
> As it is now possible to chain firewall statement on the interface this 
> is not really a problem.

There shouldn't be a difference between filtering on the interface or lo0, 
but older platforms (Internet Processor I/II based) don't support matching 
TTL in hardware. Anything newer should do it, T-series, M320, M120, MX, 
etc.

But on that subject, let me pose a couple questions for the list:

* Does anyone have any feedback about J series support?
* Can you match TTL for IPv6? Yes I know it's not named that in v6, but I 
  can't find documentation or a firewall match criteria for it in 8.2R2.
* What happens if you configure a TTL match in firewall on an older 
  platform? It's a hidden command but you can still configure it and it 
  passes commit check for me, on an M160.

Of course even without being able to do hw matching on TTL there is still 
an advantage over MD5 (for non-shared lan type applications at least) by 
doing the check in the RE at tcp_input(). You also need to be able to send 
TTL 255 for the other end to support it, so even if you got no security 
benefit from it at all it might not be a bad idea to configure given the 
prospect of future upgrades.

Plus hopefully this will prod Juniper into realizing this could be better 
implemented natively in order to do the SW match etc. :)

> However I was wondering when is Juniper decreasing the TTL. To know if I 
> can limit the value to 255 or should allow 254 as well.

Yeah actually I never got around to testing that one, someone do it for me 
and I'll update the scripts accordingly. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list