[j-nsp] SRX policy action to inject a route in a table??

Doug Hanks dhanks at juniper.net
Thu Mar 17 18:25:30 EDT 2011


You can create a firewall filter and using the routing-instance knob.

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Clarke Morledge
Sent: Thursday, March 17, 2011 3:05 PM
To: juniper-nsp
Subject: [j-nsp] SRX policy action to inject a route in a table??

The SRX policy actions (count, deny, log, permit, reject) are helpful, but 
a little limited.  I am wondering if there might be a way to enforce a 
special action such as take the ip address of the source packet and inject 
it into a routing table of some sort.

What I have in mind is some way to use the SRX to grab the IPs of 
misbehaving hosts and put the address in a RIB.  Then I can use routing 
policy to put the route into a BGP feed to a border router that would null 
route traffic to and from that IP address using tricks with Unicast 
Reverse Path Forwarding.

This would be like using the SRX has a simple honeypot to then enforce a 
host address block at the network perimeter.  Of course, there are all 
sorts of dangers and challenges involved, such as making sure you don't 
end up DOS'ing the SRX yourself, etc.  But I still wish there was a clean 
way to proactively do this.

My other option is to just log the packet to somewhere else, parse the 
log, then grab the IP of the offender and populate my BGP feed that way. 
But this could get complicated, too.

It could be a handy feature to do all of this task  on the SRX.

Anybody have any ideas on this?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list