[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
Morgan Mclean
wrx230 at gmail.com
Sat Jun 23 02:41:01 EDT 2012
Actually, we used mx80's as our Internet routers. What do you suppose I use to handle my firewalling, ipsec and nat?
Thank you everyone, I will pop back to this thread when I change things up and have our security guy test again.
Sent from my iPhone
On Jun 22, 2012, at 9:39 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 6/22/12 9:49 AM, Morgan Mclean wrote:
>> This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net.
> This is what happens when you use a stateful box for an internet router.
>
> a router with a covering aggreate and some knowledge of the more specifc on the interior would inexpensively discard traffic bound for unreachable destinations.
>>
>> Sent from my iPhone
>>
>> On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routehero at gmail.com> wrote:
>>
>>> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>>
>>>> I have a /24 I want to announce, but I don't actually have it anywhere on
>>>> the network. I NAT some of its IP's on the SRX that has the BGP session
>>>> with our providers.
>>>>
>>>> I've been using static routes with the discard flag, but I don't really
>>>> like the way the SRX handles traffic. It still creates sessions for traffic
>>>> destined to IP's not used anywhere (hitting the static route) and can be
>>>> easily dos'd because of this.
>>>>
>>>> Is there a better way to just tell our providers hey, we have this range?
>>>>
>>>>
>>> It sounds like you're using the SRX as an edge router with a BGP session
>>> upstream?
>>>
>>> I don't have this architecture here, but I had the same problem. I had my
>>> edge router announce the /24 to the BGP upstreams, and my SRX announce the
>>> /24 via OSPF to the MX.
>>>
>>> Unfortunately, one of my IPs was hammered, and filled up the session table
>>> with invalid sessions. That's the real issue, at least in my case, was
>>> that even invalid sessions were taking a session, and prohibiting
>>> legitimate traffic from flowing.
>>>
>>> The solution was only to announce from SRX to MX (edge router) the /32s
>>> that were actually in use.
>>>
>>> I suppose that a firewall filter may help on your ingress ports to only
>>> permit the traffic to the /32s that are actually in use, but I can't say
>>> from experience if this will happen before a session is created, even in
>>> invalid state.
>>>
>>> Scott
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
More information about the juniper-nsp
mailing list