[j-nsp] bad packets
Bit Gossip
bit.gossip at chello.nl
Thu Sep 10 09:50:41 EDT 2009
My point of view in this case is the following:
- the network should have standard MTU configured on both side of all
links; should there be a non standard, this is a misconfiguration.
- in the loopback firewall filter, fragments are dropped with the count
and log option so that we can see what is being dropped.
On this ground it is better to have LDP breaking due to MTU
misconfiguration, because I can quite easily trouble-shoot it, rather
that having LDP working and having problem on the dataplane such as
latency due to fragmentation, high CPU usage on the router doing the
fragmentation, customer packets being dropped..... all things that are a
nightmare to troubleshoot!
agee?
On Thu, 2009-09-10 at 13:18 +0200, sthaug at nethelp.no wrote:
> > on the ground that only the following protocols are allowed to reach the
> > RE:
> > - BGP (runs PMTU so should not fragment packets)
> > - ISIS is only L2 so it is not blocked by a firewall filter
> > - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
> > - ssh, snmp, tacacs, ntp, Icmp, domain
> >
> > Is it correct to assume that for none of them is necessary to allow
> > fragmens and packet with IP options?
> > This way it is possible and safe to immediately reject on a loopback
> > inbound filter all fragments and packets with IP options?
>
> This may not be safe. In a network with non-standard MTU on some
> backbone links, we have seen fragmented LDP traffic.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the juniper-nsp
mailing list