[j-nsp] Firewall filter using a prefix-list, not updating
Saku Ytti
saku at ytti.fi
Mon Mar 5 10:56:50 EST 2012
On (2012-03-05 10:47 -0500), Justin M. Streiner wrote:
> With this in mind, do you have any recommendations for deploying a
> sane IPv6 ingress/egress filter policy on Juniper gear?
Try to make IPv6 rules where ultimate address matching rule is deny. So if
you are doing iACL, allow UDP high ports, ICMP whatnot, then deny protocol
agnostically everything to your infrastructure.
Then attacker can only bypass the permit statement, but will hit the
protocol agnostic deny statement.
Other than that, ask JNPR to implement 'match tcp' like ipv4, not just
'next-protocol', which is needed also, of course.
I'm pretty sure DPCE could do this also, at least EZchip could, but I don't
expect it ever to be supported in DPCE. I'm confident it'll be supported
some day in trio, while I have no information from JNPR on the matter.
--
++ytti
More information about the juniper-nsp
mailing list