[j-nsp] RE filter BCP

Saku Ytti saku at ytti.fi
Thu Jan 3 15:34:41 EST 2019


On Thu, 3 Jan 2019 at 22:23, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:

> If you match on specific source (and presumably specific destination) addresses, why is a directionally agnostic port match bad?  Or is it not so much bad as it is being too lazy to create a second term or an established filter/term?

Because they can set SPORT==BGP and DPORT==SSH and hammer your SSH.

> > c) always match destination-address if you're running L3 MPLS VPNs
>
> I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?

I am suggesting that. If it's hitting control-plane it is coming to
one of your local IP, which one it is, is not important from security
POV.

> > d) TCP when either end can initiate requires two terms
>
> As opposed to another filter or a single term matching established for already specifically configured allow terms?

As opposed to using 'port bgp' you need 'source-port bgp,
destination-port ephemeral' and 'destination port bgp'

> > e) have ultimate deny all rule
> >
> > On top of that, configure _every_ ddos-protection protocol.
>
> Assuming a policer falls into the category of ddos-protection protocol, what sorts of others are you referring to?

MX has specific configuration called 'ddos-protection' which covers
many protocols L3 and others and is fixing the problem of one bad
actor (one bad BGP session) causing collateral damage.


-- 
  ++ytti


More information about the juniper-nsp mailing list