[j-nsp] In Search of the Optimal RE Protect Filter - A Journey

Saku Ytti saku at ytti.fi
Wed Aug 10 02:14:41 EDT 2011


On (2011-08-09 16:25 -0400), Clarke Morledge wrote:
 
> Well, I hope this all helps someone.   If someone can clarify and/or
> improve on this, please let me know.  I had to learn the hard way.

Nice pointers, thanks.

People should also have forwarding-options filter in every routing-instance
(inclusive main) to police IP options and IPv6 hop-by-hop options. Rate of
5Mbps (on small packets) will kill your MX80. It is unfortunately you cannot
police with pps, only with bps.
If you are running RSVP, you might want to allow your linknet/lo0 space
unpoliced or policed separately rather than putting all IP options under same
policer.

I've not done testing at all how MX is vulnarable when using L2 interfaces, but
I'm certain there are lot more things to watch out for then, due to software
handling of BPDU. One thing I've noticed is that receiving LLDP attack of about
5Mbps will kill MX80. This is particularly annoying as you can't match
ethertype on inet family filter, and you cannot do bridge filters on inet
interface, so there really isn't way to police them. Luckily MX is only punting
LLDP if LLDP is enabled in interface (single bit marker in mq stream), so only
enable it on trusted interfaces.
Also 11.2 DDOS protection actually has policer for LLDP (and it is missing IPv6
hop-by-hop options)

-- 
  ++ytti


More information about the juniper-nsp mailing list