[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Saku Ytti saku at ytti.fi
Wed Jul 11 15:43:30 EDT 2018


On Wed, 11 Jul 2018 at 22:26, Chris Morrow <morrowc at ops-netman.net> wrote:

> > You might want "payload-protocol" for IPv6, except where you really
> > want "next-header".  This is a case where there's not a definite
> > single functional mapping from IPv4 to IPv6.
>
> unclear why that's important here though? you MAY (and probably do)
> have different security requirements between the 2 families, right? so
> you're making a policy in ipv4 and you're making one in ipv6.

Point probably is that if filter is as such

a) allow smtp to permitted mx
b) drop all smtp
c) permit rest

Then with 'payload-protocol' it works fine. With 'next-header' this
filter is trivial to by-pass, allowing sender to send email to any MX.

However for lo0 filter it indeed does not matter, as you format should be

a) permit specific thing1
b) permit specific thingN
c) drop rest

No way to bypass c), so immaterial if next-header (cheap) or
payload-protocol (expensive) is used.
-- 
  ++ytti


More information about the juniper-nsp mailing list