[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
Antti Ristimäki
antti.ristimaki at csc.fi
Fri Jul 13 08:40:27 EDT 2018
----- On 13 Jul, 2018, at 11:30, Saku Ytti saku at ytti.fi wrote:
> On Fri, 13 Jul 2018 at 06:19, Antti Ristimäki <antti.ristimaki at csc.fi> wrote:
>
>> I can see the reasoning behind disabling sub detection, but how would you then
>> protect e.g. in a peering VLAN a single peer from killing also all the other
>> BGP sessions behind that specific ifl?
>
> I'm sure you were anticipating my answer, you don't.
>
> I don't think there is reasonable way to make shared LAN termination
> safe. The sub detection _MIGHT_ work against some unintentional ddos
> vectors in shared LAN, but it can't really work for intentional ddos
> vectors. MX model I was testing against had about 4k policers for
> DDoS, plenty for reasonably protecting protocol*ifl with dynamic
> detection (with static policers, not very reasonable even there). But
> 4k for sub detection? Just use 4k source ports and you congest the
> policers, and when that happens they are compressed to next-level
> (ifl) anyhow.
> But just being able to limit collateral damage to IFL level is huge,
> no other vendor can do it AFAIK.
Right. Also if one has a host in a let's say /64 IPv6 subnet, (s)he can send traffic towards the router from quite a many source addresses and thus deplete the policers.
Antti
--
CSC - Tieteen tietotekniikan keskus Oy:n asiakas- seka sidosryhmarekisterien henkilotietojen kasittely kuvataan tietosuojaselosteissa:
https://www.csc.fi/tietosuoja
CSC - IT Center for Science Ltd processes customer and other stakeholder personal information in the following way:
https://www.csc.fi/privacy
More information about the juniper-nsp
mailing list