[j-nsp] DDoS to core interface - mitigation
Saku Ytti
saku at ytti.fi
Fri Mar 9 09:38:35 EST 2018
On 9 March 2018 at 16:35, <adamv0025 at netconsultings.com> wrote:
> Regarding point b)
> That one might be cumbersome as IP for CE-PE links in the Internet VRF are
> usually allocated from either your own public address space (so you'd have
> to fragment it and not advertising block used for PE-CE links -creating more
> state in GRT) or come from PI space which you don't have control over yet
> it's part of your infrastructure.
In one shop I did /31 or /30 links customer or our pool, but we never
advertised the connected networks. If far-end for some reason needed
routed linknetwork, after we tried to demotivate, we crated /32 static
route for it. So we still didn't have that address as attack surface
on the PE from outside the PE.
--
++ytti
More information about the juniper-nsp
mailing list