[j-nsp] bad packets
Bit Gossip
bit.gossip at chello.nl
Thu Sep 10 07:06:16 EDT 2009
Experts,
on the ground that only the following protocols are allowed to reach the
RE:
- BGP (runs PMTU so should not fragment packets)
- ISIS is only L2 so it is not blocked by a firewall filter
- OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
- ssh, snmp, tacacs, ntp, Icmp, domain
Is it correct to assume that for none of them is necessary to allow
fragmens and packet with IP options?
This way it is possible and safe to immediately reject on a loopback
inbound filter all fragments and packets with IP options?
Thanks,
Bit.
More information about the juniper-nsp
mailing list