[j-nsp] RE filter BCP
saku at ytti.fi
Thu Jan 3 15:38:50 EST 2019
On Thu, 3 Jan 2019 at 22:32, Anderson, Charles R <cra at wpi.edu> wrote:
> > > c) always match destination-address if you're running L3 MPLS VPNs
> > I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?
> I would like to learn more about this particular BCP. Why is it that with L3 MPLS VPNs is it important to specify destination-address?
Because otherwise you have to rely that no L3 MPLS VPN customer
anywhere can advertise your internal infrastructure addresses. If you
have 1 customer not properly filtered, then they can advertise your
NMS station inside their L3 MPLS VPN, no biggy.
Now they set SADDR=NMS DADDR=PE_CE_LINK
And be accepted as your NMS. If you ensure that DADDR must be loop or
BB link, this trick does not work. And obviously the L3 MPLS VPN can't
send packet to those, as they're not in the table.
I know that this trick has worked on all companies I've worked for who
have had L3 MPLS VPN, because realistically anyone who widely deploys
L3 MPLS VPN will not have perfect hygiene in prefix-filtering.
More information about the juniper-nsp