[j-nsp] bad packets

sthaug at nethelp.no sthaug at nethelp.no
Thu Sep 10 07:18:09 EDT 2009


> on the ground that only the following protocols are allowed to reach the
> RE:
> - BGP (runs PMTU so should not fragment packets)
> - ISIS is only L2 so it is not blocked by a firewall filter
> - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
> - ssh, snmp, tacacs, ntp, Icmp, domain
> 
> Is it correct to assume that for none of them is necessary to allow
> fragmens and packet with IP options?
> This way it is possible and safe to immediately reject on a loopback
> inbound filter all fragments and packets with IP options?

This may not be safe. In a network with non-standard MTU on some
backbone links, we have seen fragmented LDP traffic.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the juniper-nsp mailing list