[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.

Morgan Mclean wrx230 at gmail.com
Sat Jun 23 02:41:01 EDT 2012


Actually, we used mx80's as our Internet routers. What do you suppose I use to handle my firewalling, ipsec and nat?

Thank you everyone, I will pop back to this thread when I change things up and have our security guy test again.

Sent from my iPhone

On Jun 22, 2012, at 9:39 PM, joel jaeggli <joelja at bogus.com> wrote:

> On 6/22/12 9:49 AM, Morgan Mclean wrote:
>> This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net.
> This is what happens when you use a stateful box for an internet router.
> 
> a  router with a covering aggreate and some knowledge of the more specifc on the interior would inexpensively discard traffic bound for unreachable destinations.
>> 
>> Sent from my iPhone
>> 
>> On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routehero at gmail.com> wrote:
>> 
>>> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>> 
>>>> I have a /24 I want to announce, but I don't actually have it anywhere on
>>>> the network. I NAT some of its IP's on the SRX that has the BGP session
>>>> with our providers.
>>>> 
>>>> I've been using static routes with the discard flag, but I don't really
>>>> like the way the SRX handles traffic. It still creates sessions for traffic
>>>> destined to IP's not used anywhere (hitting the static route) and can be
>>>> easily dos'd because of this.
>>>> 
>>>> Is there a better way to just tell our providers hey, we have this range?
>>>> 
>>>> 
>>> It sounds like you're using the SRX as an edge router with a BGP session
>>> upstream?
>>> 
>>> I don't have this architecture here, but I had the same problem.  I had my
>>> edge router announce the /24 to the BGP upstreams, and my SRX announce the
>>> /24 via OSPF to the MX.
>>> 
>>> Unfortunately, one of my IPs was hammered, and filled up the session table
>>> with invalid sessions.  That's the real issue, at least in my case, was
>>> that even invalid sessions were taking a session, and prohibiting
>>> legitimate traffic from flowing.
>>> 
>>> The solution was only to announce from SRX to MX (edge router) the /32s
>>> that were actually in use.
>>> 
>>> I suppose that a firewall filter may help on your ingress ports to only
>>> permit the traffic to the /32s that are actually in use, but I can't say
>>> from experience if this will happen before a session is created, even in
>>> invalid state.
>>> 
>>> Scott
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> 



More information about the juniper-nsp mailing list