[j-nsp] ip(v6) options

Saku Ytti saku at ytti.fi
Thu Jan 28 16:37:35 EST 2016


Anyone remember from top of their head if or not Trio originally
punted transit IP packets with IP options through lo0 filter or not?

I could have sworn when I tested MX80, I needed forwarding-filters to
limit them.

Now it seems they hit lo0 filter and JTAC considers this to be correct
and by design. I view it wildly broken, because it essentially means,
if you want to allow IP options, you need to do something like this

a) match IP options and match any local DADDR => DROP
b) match IP options => police

As opposed to just do b) in forwarding filters.

Much same as it would be wildly broken to punt TTL exceeded messages
through lo0 filter, or anything else that is not destined to the
router itself.

'JunOS Router Security' book agrees:
-------------
Since optioned packets are not destined to the router itself, a lo0
firewall filter will not be able to intercept them. One can apply the
recommended filter to an incoming interface, but the management of
such a filter is cumbersome - especially for a router with many
interfaces or sub-interfaces. Alternatively, one can apply a filter to
the router forwarding table
-----

But according to JTAC behaviour was changed in Trio. I'm quite
confident it still behaved like this in Trio back in the early days.
And suspect perhaps it was broken during 'ddos protection'
introduction. But my memory may be failing me.

-- 
  ++ytti


More information about the juniper-nsp mailing list