[j-nsp] SRX policy action to inject a route in a table??
Clarke Morledge
chmorl at wm.edu
Thu Mar 17 18:04:36 EDT 2011
The SRX policy actions (count, deny, log, permit, reject) are helpful, but
a little limited. I am wondering if there might be a way to enforce a
special action such as take the ip address of the source packet and inject
it into a routing table of some sort.
What I have in mind is some way to use the SRX to grab the IPs of
misbehaving hosts and put the address in a RIB. Then I can use routing
policy to put the route into a BGP feed to a border router that would null
route traffic to and from that IP address using tricks with Unicast
Reverse Path Forwarding.
This would be like using the SRX has a simple honeypot to then enforce a
host address block at the network perimeter. Of course, there are all
sorts of dangers and challenges involved, such as making sure you don't
end up DOS'ing the SRX yourself, etc. But I still wish there was a clean
way to proactively do this.
My other option is to just log the packet to somewhere else, parse the
log, then grab the IP of the offender and populate my BGP feed that way.
But this could get complicated, too.
It could be a handy feature to do all of this task on the SRX.
Anybody have any ideas on this?
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
More information about the juniper-nsp
mailing list