[j-nsp] ttl-security
Harry Reynolds
harry at juniper.net
Wed Sep 3 19:31:31 EDT 2008
I believe this knob only affects outbound ttl setting, effetely placing
a scope on how far away the remote peer *could* be. It will not prevent
acceptance of a connection with an incoming ttl that is less than the
value specified, which is the functionality being sought here.
The juniper knob provides outbound protection, while the cisco one
provides inbound.
IIRC, you can set a jni with multi-hop ttl-3, and we will set ttl = 3 in
outgoing packets rather than default of 1/64 for normal/multihop
respectively. There is no specific inbound check, other than normal IP
sanity checking. The inbound packet could have any TTL from 1-255 and we
will accept it.
General TTL security may be easy to implement in a software based
router, but JUNOS FW filters are done in HW, by ASICS, and not all
platforms support full GTTL, as per the cluepon site. As always, if you
need a feature request it through the sales channels to help expedite a
solution to market.
Regards and HTHs
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Truman Boyes
Sent: Wednesday, September 03, 2008 2:20 PM
To: Bit Gossip
Cc: 'Juniper-Nsp'
Subject: Re: [j-nsp] ttl-security
Bit,
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-routing/
multihop.html#id-13320727
Yes you can specify a maximum TTL value. This match is performed on RE,
not on the PFE as opposed to a firewall match.
Regards,
Truman
On 3/09/2008, at 5:58 PM, Bit Gossip wrote:
> Experts,
> do you know if there is a Junos equivalent to the following Cisco:
>
> rc1(config-router)#neighbor 1.1.1.1 ttl-security hops ?
> <1-254> maximum number of hops
>
>
>
> Thanks,
> Bit
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list