[j-nsp] bad packets

Serge Vautour sergevautour at yahoo.ca
Thu Sep 10 11:29:15 EDT 2009


We run OSPF & BGP with no MPLS. Our standard protect RE filter does:

-Allow OSPF, BGP, VRRP, BFD
-Drop all first fragments & trailing fragments
-Allow ICMP, TACACS, SSH, Telnet, SNMP, DNS, FTP
-Drop everything else


Appropriate entries permit only certain source/destinations. This has been working fine for us.
Serge


----- Original Message ----
From: Bit Gossip <bit.gossip at chello.nl>
To: Juniper List <juniper-nsp at puck.nether.net>
Sent: Thursday, September 10, 2009 8:06:16 AM
Subject: [j-nsp] bad packets

Experts,
on the ground that only the following protocols are allowed to reach the
RE:
- BGP (runs PMTU so should not fragment packets)
- ISIS is only L2 so it is not blocked by a firewall filter
- OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them
- ssh, snmp, tacacs, ntp, Icmp, domain

Is it correct to assume that for none of them is necessary to allow
fragmens and packet with IP options?
This way it is possible and safe to immediately reject on a loopback
inbound filter all fragments and packets with IP options?

Thanks,
Bit.


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



      __________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr! 

http://www.flickr.com/gift/


More information about the juniper-nsp mailing list