[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Wed Jul 11 18:28:31 EDT 2018
> Of Saku Ytti
> Sent: Wednesday, July 11, 2018 8:44 PM
>
> On Wed, 11 Jul 2018 at 22:26, Chris Morrow <morrowc at ops-netman.net>
> wrote:
>
> > > You might want "payload-protocol" for IPv6, except where you really
> > > want "next-header". This is a case where there's not a definite
> > > single functional mapping from IPv4 to IPv6.
> >
> > unclear why that's important here though? you MAY (and probably do)
> > have different security requirements between the 2 families, right? so
> > you're making a policy in ipv4 and you're making one in ipv6.
>
> Point probably is that if filter is as such
>
> a) allow smtp to permitted mx
> b) drop all smtp
> c) permit rest
>
> Then with 'payload-protocol' it works fine. With 'next-header' this filter
is
> trivial to by-pass, allowing sender to send email to any MX.
>
> However for lo0 filter it indeed does not matter, as you format should be
>
> a) permit specific thing1
> b) permit specific thingN
> c) drop rest
>
> No way to bypass c), so immaterial if next-header (cheap) or payload-
> protocol (expensive) is used.
> --
Well yes but think about the 1st rule of thermodynamics,
It almost seems like every single time someone looks at the RE filter he can
spot yet another thing that's not quite kosher.
Take the BGP session filter for example,
Yes allowing just destination port 172 and source port ephemeral is safe but
you might not get your session up (not sure what the rule is? higher RID
session is kept?) or configure it on two neighbouring routers and you'll
never get the session up.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the juniper-nsp
mailing list