[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
Scott T. Cameron
routehero at gmail.com
Sat Jun 23 07:28:58 EDT 2012
Generally you only want to bring traffic down to your SRX that can actually
be used. There's no reason to advertise a /24 to your MX via IGP when
you're only actually using a /27 -- the leftover is just going to take up
sessions through random internet scans, etc.
Forcing advertisements of /32 from SRX to MX has some administrative
overhead, but is generally worth it. I have a policy that matches my /24
orlonger, and inject /32 static discard routes. The only bother is
remembering to inject the /32 when a new NAT address is being used.
Even so, some SRX nodes have a really low session count.
- My SRX240: 128k
- My SRX3400: 400k
- My SRX5600: 1M per PIC (3M total in my config)
The MX can be used to drop traffic to a specific IP that's causing your SRX
trouble, or rate limit, etc. The MX has no problem dropping high volume
traffic.
You can also configure the session timeouts to be more reasonable for
applications in your environment. I think the default for TCP is 15
minutes -- maybe you don't need that.
Scott
On Sat, Jun 23, 2012 at 2:41 AM, Morgan Mclean <wrx230 at gmail.com> wrote:
> Actually, we used mx80's as our Internet routers. What do you suppose I
> use to handle my firewalling, ipsec and nat?
>
> Thank you everyone, I will pop back to this thread when I change things up
> and have our security guy test again.
>
> Sent from my iPhone
>
> On Jun 22, 2012, at 9:39 PM, joel jaeggli <joelja at bogus.com> wrote:
>
> > On 6/22/12 9:49 AM, Morgan Mclean wrote:
> >> This is exactly what happened. The session table filled up. One of our
> security guys took down our edge 650 cluster from a single unix box out on
> the net.
> > This is what happens when you use a stateful box for an internet router.
> >
> > a router with a covering aggreate and some knowledge of the more
> specifc on the interior would inexpensively discard traffic bound for
> unreachable destinations.
> >>
> >> Sent from my iPhone
> >>
> >> On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routehero at gmail.com>
> wrote:
> >>
> >>> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx230 at gmail.com>
> wrote:
> >>>
> >>>> I have a /24 I want to announce, but I don't actually have it
> anywhere on
> >>>> the network. I NAT some of its IP's on the SRX that has the BGP
> session
> >>>> with our providers.
> >>>>
> >>>> I've been using static routes with the discard flag, but I don't
> really
> >>>> like the way the SRX handles traffic. It still creates sessions for
> traffic
> >>>> destined to IP's not used anywhere (hitting the static route) and can
> be
> >>>> easily dos'd because of this.
> >>>>
> >>>> Is there a better way to just tell our providers hey, we have this
> range?
> >>>>
> >>>>
> >>> It sounds like you're using the SRX as an edge router with a BGP
> session
> >>> upstream?
> >>>
> >>> I don't have this architecture here, but I had the same problem. I
> had my
> >>> edge router announce the /24 to the BGP upstreams, and my SRX announce
> the
> >>> /24 via OSPF to the MX.
> >>>
> >>> Unfortunately, one of my IPs was hammered, and filled up the session
> table
> >>> with invalid sessions. That's the real issue, at least in my case, was
> >>> that even invalid sessions were taking a session, and prohibiting
> >>> legitimate traffic from flowing.
> >>>
> >>> The solution was only to announce from SRX to MX (edge router) the /32s
> >>> that were actually in use.
> >>>
> >>> I suppose that a firewall filter may help on your ingress ports to only
> >>> permit the traffic to the /32s that are actually in use, but I can't
> say
> >>> from experience if this will happen before a session is created, even
> in
> >>> invalid state.
> >>>
> >>> Scott
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
>
More information about the juniper-nsp
mailing list