[j-nsp] RE filter BCP
Saku Ytti
saku at ytti.fi
Thu Jan 3 14:47:05 EST 2019
Hey,
> I’ve noticed that publication is a little more liberal in it's RE filtering suggestions vs. say, Juniper MX Series, O’Reilly.
>
> Having dug through both, the Juniper guide seems more platform agnostic, which probably contributes to why it’s more liberal (variations in cross-platform feature support).
At least the O'Reilly RE filter example is not only poor design but
also broken, for using stuff like 'match port bgp'.
General strategy
a) allow as specifically as RFC allows what you must, no broad permits
b) always match destination-port
c) always match destination-address if you're running L3 MPLS VPNs
d) TCP when either end can initiate requires two terms
e) have ultimate deny all rule
On top of that, configure _every_ ddos-protection protocol.
--
++ytti
More information about the juniper-nsp
mailing list