[j-nsp] IPv6 'protect-re' sanity check

Rafael Rodriguez packetjockey at gmail.com
Thu Jun 30 10:23:48 EDT 2011


Hello List,

I need some help with a sanity check on a couple routing engine filters for
IPv6; specifically on the ICMPv6 section.  The router will connect to
routers only, no end hosts (not allowing RA and RS).   Filters based off the
Juniper Day One ebook Securing the Routing Engine.  Should anything be added
or removed?  How are others doing this?  Thanks in advanced.

prefix-list router-ipv6 {
    apply-path "interfaces <*> unit <*> family inet6 address <*:*>";
}
prefix-list router-ipv6-logical-systems {
    apply-path "logical-systems <*> interfaces <*> unit <*> family inet6
address <*:*>";
}

policer management-1m {
    apply-flags omit;
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 625k;
    }
    then discard;
}
policer management-5m {
    apply-flags omit;
    if-exceeding {
        bandwidth-limit 5m;
        burst-size-limit 625k;
    }
    then discard;
}


filter accept-icmpv6 {
    apply-flags omit;
    term accept-icmp {
        from {
            destination-prefix-list {
                router-ipv6;
                router-ipv6-logical-systems;
            }
            next-header icmpv6;
            icmp-type [ echo-reply echo-request time-exceeded unreachable
source-quench parameter-problem neighbor-advertisement neighbor-solicit
packet-too-big ];
        }
        then {
            policer management-5m;
            count accept-icmpv6;
            accept;
        }
    }
}
filter accept-traceroute {
    apply-flags omit;
    term accept-traceroute-udp {
        from {
            destination-prefix-list {
                router-ipv6;
                router-ipv6-logical-systems;
            }
            next-header udp;
            destination-port 33435-33450;
        }
        then {
            policer management-1m;
            count accept-traceroute-udp;
            accept;
        }
    }
    term accept-traceroute-icmpv6 {
        from {
            destination-prefix-list {
                router-ipv6;
                router-ipv6-logical-systems;
            }
            next-header icmpv6;
            icmp-type [ echo-request timestamp time-exceeded ];
        }
        then {
            policer management-1m;
            count accept-traceroute-icmpv6;
            accept;
        }
    }
}


More information about the juniper-nsp mailing list