[j-nsp] bad packets

Danny Vernals danny.vernals at gmail.com
Thu Sep 10 07:55:38 EDT 2009


On Thu, Sep 10, 2009 at 12:40 PM, Alexandre Snarskii <snar at snar.spb.ru> wrote:
> On Thu, Sep 10, 2009 at 01:06:16PM +0200, Bit Gossip wrote:
>> Experts,
>> on the ground that only the following protocols are allowed to reach the
>> RE:
>> - BGP (runs PMTU so should not fragment packets)
>> - ISIS is only L2 so it is not blocked by a firewall filter
>> - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
>> - ssh, snmp, tacacs, ntp, Icmp, domain
>>
>> Is it correct to assume that for none of them is necessary to allow
>> fragmens and packet with IP options?
>> This way it is possible and safe to immediately reject on a loopback
>> inbound filter all fragments and packets with IP options?
>
> At least IGMP packets usually have Router-Alert option set.
> Not sure about VRRP (tcpdump shows no options) and BFD.
>

RSVP also uses Router Alert option in PATH messages when initially
signalling an LSP to establish soft-state on downstream transit
routers.

> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list