[j-nsp] IPv6 firewall policy for MX
Lee Pedder
lee.pedder at gmail.com
Sat Jun 29 06:01:34 EDT 2019
>
>
>
> > I think you need to take some time to understand IPv6 before
> implementing.
> > The book examples don't restrict RS/RA to link local, are too open on
> > things like BGP and traceroute. Trio hardware also has payload-protocol
> > available in addition to next-header for matching.
>
> I don't think there is any need to. We've troubleshooted many outages
> caused by customers limiting NS/NA to link-local or GUA, which may
> work and may stop working when one end changes.
>
Hi Ytti
I have been using prefixes but of course, I missed the obvious solution
here - matching on hop-limit 255.
> Robust and secure rule would be something like:
>
> term icmp:nd {
> from {
> next-header icmp6;
> icmp-type [ router-solicit router-advertisement
> neighbor-solicit neighbor-advertisement ];
> hop-limit 255;
> }
> then {
> count icmp:nd;
> accept;
> }
> }
> term icmp {
> from {
> next-header icmp6;
> icmp-type [ echo-reply echo-request time-exceeded
> destination-unreachable packet-too-big parameter-problem ];
> }
> then {
> policer police_local;
> count icmp;
> accept;
> }
> }
>
>
Thanks for this.
>
More information about the juniper-nsp
mailing list