[j-nsp] Securing management access to Juniper gear

[Richard A Steenbergen]

On Fri, Sep 02, 2011 at 02:37:11PM -0400, Mark Kamichoff wrote:
> 
> I'm not an EX guru, but I believe the same concepts can be applied.

With the caveats that:

1) lo0 filters *WILL* (quite incorrectly) match data plane exception 
packets that get punted to the RE for further processing as well, such 
as TTL expiring traceroute packets routing THROUGH the box. Mostly this 
issue applies to EX, which seems to punt a whole bunch of everything to 
the RE rather than deal with it on the FPC CPU like traditional Juniper 
hardware, but the same thing actually still happens with TTL expiring 
packets being popped out of an LSP on MX Trio hardware too. You need to 
make exceptions for this in your lo0 filter, or else you'll find your 
control plane filters matching more than just control plane packets, 
breaking traceroute/etc, and generally pissing everyone off. I believe 
there was also a related ongoing issue on EX where an lo0 filter with an 
explicit deny of all traffic at the end would actually match ARP traffic 
too, so you should probably be careful with those as well. :)

2) EX lo0 filters don't actually work correctly for DoS prevention, they 
get applied *AFTER* the packets have already destroyed the RE, and thus 
are completely ineffective at defending the boxes from attack. The only 
way to correctly block control plane traffic on EX is with ingress 
filters on "real" intefaces (or RVIs).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)