[j-nsp] bad packets

Alexandre Snarskii snar at snar.spb.ru
Thu Sep 10 07:40:38 EDT 2009

On Thu, Sep 10, 2009 at 01:06:16PM +0200, Bit Gossip wrote:
> Experts,
> on the ground that only the following protocols are allowed to reach the
> RE:
> - BGP (runs PMTU so should not fragment packets)
> - ISIS is only L2 so it is not blocked by a firewall filter
> - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
> - ssh, snmp, tacacs, ntp, Icmp, domain
> Is it correct to assume that for none of them is necessary to allow
> fragmens and packet with IP options?
> This way it is possible and safe to immediately reject on a loopback
> inbound filter all fragments and packets with IP options?

At least IGMP packets usually have Router-Alert option set. 
Not sure about VRRP (tcpdump shows no options) and BFD.

More information about the juniper-nsp mailing list