[j-nsp] SRX policy action to inject a route in a table??

Stefan Fouant sfouant at shortestpathfirst.net
Thu Mar 17 23:21:55 EDT 2011 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Clarke Morledge
> Sent: Thursday, March 17, 2011 6:05 PM
> To: juniper-nsp
> Subject: [j-nsp] SRX policy action to inject a route in a table??
> 
> The SRX policy actions (count, deny, log, permit, reject) are helpful,
> but
> a little limited.  I am wondering if there might be a way to enforce a
> special action such as take the ip address of the source packet and
> inject
> it into a routing table of some sort.

Hi Clarke, Doug's suggestion of using a firewall-filter with an action of
then routing-instance is probably the cleanest way to do this.  We call this
Filter-Based Forwarding or FBF in Juniper speak but this is no different
from Policy-Based Routing (PBR) on other vendor platforms.  Firewall-filters
(stateless) are processed before stateful services so this wouldn't be an
action that you find under the 'security policies' stanza of the
configuration hierarchy, but rather would be configured under
'firewall-filters'.

> What I have in mind is some way to use the SRX to grab the IPs of
> misbehaving hosts and put the address in a RIB.  Then I can use routing
> policy to put the route into a BGP feed to a border router that would
> null
> route traffic to and from that IP address using tricks with Unicast
> Reverse Path Forwarding.
> 
> This would be like using the SRX has a simple honeypot to then enforce
> a
> host address block at the network perimeter.  Of course, there are all
> sorts of dangers and challenges involved, such as making sure you don't
> end up DOS'ing the SRX yourself, etc.  But I still wish there was a
> clean
> way to proactively do this.
> 
> My other option is to just log the packet to somewhere else, parse the
> log, then grab the IP of the offender and populate my BGP feed that
> way.
> But this could get complicated, too.

Honestly, there are a lot of different ways you could do this but one way
would be to first establish some visibility into the network using something
like Netflow.  Once you have flow/visibility, you could use some of this
data to identify misbehaving hosts that you want to null-route or simply
redirect into a given VRF (a la Filter-Based Forwarding)... If you have a
route-server in your environment you could use a myriad of different options
like RTBH, S/RTBH or BGP FlowSpec to drive this automatically throughout
many devices in your environment with the redirect extended community giving
you the simplicity of a big-red button... heck this could even be automated
using gear from various vendors or even some open-source tools.

Note: For full disclosure, I must admit I work for a vendor which makes
commercial gear and tools in this area. 

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC

More information about the juniper-nsp mailing list