[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.

joel jaeggli joelja at bogus.com
Sat Jun 23 00:39:05 EDT 2012


On 6/22/12 9:49 AM, Morgan Mclean wrote:
> This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net.
This is what happens when you use a stateful box for an internet router.

a  router with a covering aggreate and some knowledge of the more 
specifc on the interior would inexpensively discard traffic bound for 
unreachable destinations.
>
> Sent from my iPhone
>
> On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routehero at gmail.com> wrote:
>
>> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>
>>> I have a /24 I want to announce, but I don't actually have it anywhere on
>>> the network. I NAT some of its IP's on the SRX that has the BGP session
>>> with our providers.
>>>
>>> I've been using static routes with the discard flag, but I don't really
>>> like the way the SRX handles traffic. It still creates sessions for traffic
>>> destined to IP's not used anywhere (hitting the static route) and can be
>>> easily dos'd because of this.
>>>
>>> Is there a better way to just tell our providers hey, we have this range?
>>>
>>>
>> It sounds like you're using the SRX as an edge router with a BGP session
>> upstream?
>>
>> I don't have this architecture here, but I had the same problem.  I had my
>> edge router announce the /24 to the BGP upstreams, and my SRX announce the
>> /24 via OSPF to the MX.
>>
>> Unfortunately, one of my IPs was hammered, and filled up the session table
>> with invalid sessions.  That's the real issue, at least in my case, was
>> that even invalid sessions were taking a session, and prohibiting
>> legitimate traffic from flowing.
>>
>> The solution was only to announce from SRX to MX (edge router) the /32s
>> that were actually in use.
>>
>> I suppose that a firewall filter may help on your ingress ports to only
>> permit the traffic to the /32s that are actually in use, but I can't say
>> from experience if this will happen before a session is created, even in
>> invalid state.
>>
>> Scott
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list