[j-nsp] IPv6 firewall policy for MX
Saku Ytti
saku at ytti.fi
Sat Jun 29 03:30:49 EDT 2019
Hey Lee,
> I think you need to take some time to understand IPv6 before implementing.
> The book examples don't restrict RS/RA to link local, are too open on
> things like BGP and traceroute. Trio hardware also has payload-protocol
> available in addition to next-header for matching.
I don't think there is any need to. We've troubleshooted many outages
caused by customers limiting NS/NA to link-local or GUA, which may
work and may stop working when one end changes.
Robust and secure rule would be something like:
term icmp:nd {
from {
next-header icmp6;
icmp-type [ router-solicit router-advertisement
neighbor-solicit neighbor-advertisement ];
hop-limit 255;
}
then {
count icmp:nd;
accept;
}
}
term icmp {
from {
next-header icmp6;
icmp-type [ echo-reply echo-request time-exceeded
destination-unreachable packet-too-big parameter-problem ];
}
then {
policer police_local;
count icmp;
accept;
}
}
--
++ytti
More information about the juniper-nsp
mailing list