[j-nsp] MX480

Saku Ytti saku at ytti.fi
Wed Jun 20 05:14:32 EDT 2018


On Tue, 19 Jun 2018 at 18:03, Saku Ytti <saku at ytti.fi> wrote:

>            from {
>                 source-prefix-list {
>                     rsvp_neighbors;
>                 }
>                 protocol udp;
>                 destination-port 8503;
>             }
>

Oh, I need to add one important thing. RFC mandates that SPORT is
ephemeral, but JNPR uses 8503 (against RFC). If you're like me, you
build strict lo0 filters as strict as RFC allows, and in this case it
would not work, as 'source-port <ephemeral>' would not match the
incoming packet.

I think JNPR implementation is better than RFC, and I'd like errata
happen on the RFC. 8503<->8503 is more desirable than
ephemeral<->8503. But you should be defensive and accept at least
ephemeral + 8503 as source port, so that it doesn't break if JNPR
implementation starts to follow RFC. Usually there are no security
implications omitting source-port match (but never omit
destination-port match, even source is strictly known).

-- 
  ++ytti


More information about the juniper-nsp mailing list