[j-nsp] RE filter BCP
Anderson, Charles R
cra at wpi.edu
Thu Jan 3 15:48:35 EST 2019
On Thu, Jan 03, 2019 at 10:38:50PM +0200, Saku Ytti wrote:
> On Thu, 3 Jan 2019 at 22:32, Anderson, Charles R <cra at wpi.edu> wrote:
> > > > c) always match destination-address if you're running L3 MPLS VPNs
> > >
> > > I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?
> > I would like to learn more about this particular BCP. Why is it that with L3 MPLS VPNs is it important to specify destination-address?
> Because otherwise you have to rely that no L3 MPLS VPN customer
> anywhere can advertise your internal infrastructure addresses. If you
> have 1 customer not properly filtered, then they can advertise your
> NMS station inside their L3 MPLS VPN, no biggy.
> Now they set SADDR=NMS DADDR=PE_CE_LINK
> And be accepted as your NMS. If you ensure that DADDR must be loop or
> BB link, this trick does not work. And obviously the L3 MPLS VPN can't
> send packet to those, as they're not in the table.
Thanks. I assume the same problem exists if you have VRF loopback
interfaces inside the VPN as well (e.g. OSPF router-id loopbacks for
the customer's VPN). So the idea is to restrict the destinations to
ones that will never exist inside a customer-visible VRF.
More information about the juniper-nsp