[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Saku Ytti saku at ytti.fi
Fri Jul 13 04:30:19 EDT 2018


On Fri, 13 Jul 2018 at 06:19, Antti Ristimäki <antti.ristimaki at csc.fi> wrote:

> I can see the reasoning behind disabling sub detection, but how would you then protect e.g. in a peering VLAN a single peer from killing also all the other BGP sessions behind that specific ifl?

I'm sure you were anticipating my answer, you don't.

I don't think there is reasonable way to make shared LAN termination
safe. The sub detection _MIGHT_ work against some unintentional ddos
vectors in shared LAN, but it can't really work for intentional ddos
vectors. MX model I was testing against had about 4k policers for
DDoS, plenty for reasonably protecting protocol*ifl with dynamic
detection (with static policers, not very reasonable even there). But
4k for sub detection? Just use 4k source ports and you congest the
policers, and when that happens they are compressed to next-level
(ifl) anyhow.
But just being able to limit collateral damage to IFL level is huge,
no other vendor can do it AFAIK.

Largely the DDoS protection scheme was inspired by ERX, and the whole
sub thing was related to PPPoE subscriber, where amount of keys is far
more finite than in TCP.

As far as I know, Juniper can be control-plane protected better than
any other platform in the market, by large margin, but it's just lot
way harder than what we can realistically expect operators to be able
to do, Schrödinger's control-plane protection, it's there, but it
really isn't.

-- 
  ++ytti


More information about the juniper-nsp mailing list