[j-nsp] Improving EBGP defaults: sideloading RFC 8212 on Junos
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Tue Oct 3 04:07:54 EDT 2017
> Job Snijders
> Sent: Sunday, September 24, 2017 5:18 PM
>
> Dear all,
>
> Currently, out of the box, a device running Junos will accept any routes and
> announce any routes on EBGP session when no import or export policy is
> defined for that neighbor. This oftentimes is not the appropriate behavior in
> context of Internet routing as it can easily result in full table route leaks.
>
> Adam Chappell created an interesting shim to improve the default behaviour
> related to EBGP Internet routing on Juniper Junos via a commit script. You
> can download the SLAX script here:
> https://github.com/packetsource/rfc8212-junos
>
> The commit script ensures an implicit “deny-any” policy is provisioned on all
> EBGP sessions for either the import or export direction (or both) if the
> respective import/export policies are absent. In other words: if you forget to
> configure an export policy statement, the commit script ensure a deny-any
> export statement is put in place. This protects both yourself and your
> neighbor!
>
> Props to both Adam for creating the script and to Juniper for allowing such
> permissionless patching! This is cool!
>
Or you can start using routers with proper BGP implementation to connect to the internet (IOS-XR based), where this has been the default since ever.
adam
More information about the juniper-nsp
mailing list