[j-nsp] SRX policy action to inject a route in a table??

[Clarke Morledge]

On Thu, 17 Mar 2011, Brandon Ross wrote:

> On Thu, 17 Mar 2011, Clarke Morledge wrote:
>
>> What I have in mind is some way to use the SRX to grab the IPs of 
>> misbehaving hosts and put the address in a RIB.  Then I can use routing 
>> policy to put the route into a BGP feed to a border router that would null 
>> route traffic to and from that IP address using tricks with Unicast Reverse 
>> Path Forwarding.
>
> Cool, so if a miscreant wants to DoS you, all he has to do is spoof source 
> traffic from any destinations that are important to you and you'll do the 
> null routing for him, eh?

Brandon,

As I mentioned in my original post,  there are all sorts of DOS issues to 
consider, and your point is one of them.

However, isn't this an issue with any inline IPS that has some type of 
quarantining function?  Furthermore, doesn't the IDP functionality on the 
SRX itself suffer the same limitation?

My main consideration is to take the IPS-ish intelligence on the SRX and 
push the quarantining function back to a routing device further upstream. 
There's a lot of low hanging fruit you could deal with in this way.  We 
already use blacklisting via null routing with uRPF very effectively. 
But we have to manually add to the blacklist. The question I have is 
whether you can automate this via the SRX, aside from the DoS concern.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187