[j-nsp] SRX policy action to inject a route in a table??
Crist Clark
Crist.Clark at globalstar.com
Thu Mar 17 18:21:47 EDT 2011
>>> On 3/17/2011 at 3:04 PM, Clarke Morledge <chmorl at wm.edu> wrote:
> The SRX policy actions (count, deny, log, permit, reject) are helpful, but
> a little limited. I am wondering if there might be a way to enforce a
> special action such as take the ip address of the source packet and inject
> it into a routing table of some sort.
>
> What I have in mind is some way to use the SRX to grab the IPs of
> misbehaving hosts and put the address in a RIB. Then I can use routing
> policy to put the route into a BGP feed to a border router that would null
> route traffic to and from that IP address using tricks with Unicast
> Reverse Path Forwarding.
>
> This would be like using the SRX has a simple honeypot to then enforce a
> host address block at the network perimeter. Of course, there are all
> sorts of dangers and challenges involved, such as making sure you don't
> end up DOS'ing the SRX yourself, etc. But I still wish there was a clean
> way to proactively do this.
>
> My other option is to just log the packet to somewhere else, parse the
> log, then grab the IP of the offender and populate my BGP feed that way.
> But this could get complicated, too.
>
> It could be a handy feature to do all of this task on the SRX.
>
> Anybody have any ideas on this?
Event script.
SLAX scripts are a bit hard to wrap your head around at first, but
this Day One document is a pretty good primer,
http://www.juniper.net/us/en/community/junos/training-certification/day-one/automation-series/applying-junos-automation/
You may want to hit up,
http://code.google.com/p/junoscriptorium/
And see if something even close already exists there.
BTW, anyone else know of good sources of JUNOS script examples?
--
Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387
More information about the juniper-nsp
mailing list