[j-nsp] RE filter BCP

Jason Lixfeld jason-jnsp at lixfeld.ca
Thu Jan 3 15:23:34 EST 2019


Hi,

> On Jan 3, 2019, at 2:47 PM, Saku Ytti <saku at ytti.fi> wrote:
> 
> Hey,
> 
>> I’ve noticed that publication is a little more liberal in it's RE filtering suggestions vs. say, Juniper MX Series, O’Reilly.
>> 
>> Having dug through both, the Juniper guide seems more platform agnostic, which probably contributes to why it’s more liberal (variations in cross-platform feature support).
> 
> At least the O'Reilly RE filter example is not only poor design but
> also broken, for using stuff like 'match port bgp’.

If you match on specific source (and presumably specific destination) addresses, why is a directionally agnostic port match bad?  Or is it not so much bad as it is being too lazy to create a second term or an established filter/term?

> General strategy
> 
> a) allow as specifically as RFC allows what you must, no broad permits
> b) always match destination-port
> c) always match destination-address if you're running L3 MPLS VPNs

I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?

> d) TCP when either end can initiate requires two terms

As opposed to another filter or a single term matching established for already specifically configured allow terms?

> e) have ultimate deny all rule
> 
> On top of that, configure _every_ ddos-protection protocol.

Assuming a policer falls into the category of ddos-protection protocol, what sorts of others are you referring to?

> -- 
>  ++ytti



More information about the juniper-nsp mailing list