[j-nsp] Using routing policy in firewall filters

Stefan Fouant sfouant at gmail.com
Fri Jul 11 13:42:23 EDT 2008


If you are just worried about ensuring that traffic is sourced from
the appropriate locations (and external sources are not spoofing your
own customer space), wouldn't uRPF fit the bill?

Just a thought...

On Fri, Jul 11, 2008 at 1:14 PM, David Ball <davidtball at gmail.com> wrote:
>  I'm worried more about people on the internet spoofing my customer
> space INbound into our network.  We have multihomed customers whose
> space would need to be allowed to be sourced from the internet, but
> most of our customers space should only be sourced from inside our
> network.
>
> David
>
>
> On 11/07/2008, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>> David Ball wrote:
>>>   Hey folks.  They say the definition of insanity is repeating the
>>> same thing over and over and expecting different results, and again I
>>> found myself trying to use routing policy in a firewall filter,
>>> unsuccessfully.
>>>   We have 4 upstream ISPs, 2 on 1 router and 2 on another.  Until now
>>> we've had to maintain large prefix-lists including all customer blocks
>>> on both routers such that they can be applied to firewall filters to
>>> perform anti-spoofing.  I'm trying to find a way to simplify this,
>>> such that if my provisioning guys add a new customer who has their own
>>> block, the anti-spoofing rules filtering inbound internet traffic will
>>> allow it.
>>>   What are other folks doing?  Prefix-list maintenance is the only way
>>> ?  I get the feeling this question has been asked before, but I
>>> couldn't find it.
>>>
>> Isn't it enough for you to enable unicat reverse path verify on the
>> routers so that clients can't spoof packets ?
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D


More information about the juniper-nsp mailing list