[j-nsp] SRX policy action to inject a route in a table??

Thu Mar 17 18:13:23 EDT 2011

Have you looked into an inline IPS in front of the SRX to just block misbehaving host?  I've had a lot of success with this.

----- Original Message -----
From: juniper-nsp-bounces at puck.nether.net <juniper-nsp-bounces at puck.nether.net>
To: juniper-nsp <juniper-nsp at puck.nether.net>
Sent: Thu Mar 17 18:04:36 2011
Subject: [j-nsp] SRX policy action to inject a route in a table??

The SRX policy actions (count, deny, log, permit, reject) are helpful, but
a little limited.  I am wondering if there might be a way to enforce a
special action such as take the ip address of the source packet and inject
it into a routing table of some sort.

What I have in mind is some way to use the SRX to grab the IPs of
misbehaving hosts and put the address in a RIB.  Then I can use routing
policy to put the route into a BGP feed to a border router that would null
route traffic to and from that IP address using tricks with Unicast
Reverse Path Forwarding.

This would be like using the SRX has a simple honeypot to then enforce a
host address block at the network perimeter.  Of course, there are all
sorts of dangers and challenges involved, such as making sure you don't
end up DOS'ing the SRX yourself, etc.  But I still wish there was a clean
way to proactively do this.

My other option is to just log the packet to somewhere else, parse the
log, then grab the IP of the offender and populate my BGP feed that way.
But this could get complicated, too.

It could be a handy feature to do all of this task  on the SRX.

Anybody have any ideas on this?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.