[j-nsp] IPv6 firewall policy for MX

Lee Pedder lee.pedder at gmail.com
Sat Jun 29 06:01:34 EDT 2019


>
>
>
> > I think you need to take some time to understand IPv6 before
> implementing.
> > The book examples don't restrict RS/RA to link local, are too open on
> > things like BGP and traceroute. Trio hardware also has payload-protocol
> > available in addition to next-header for matching.
>
> I don't think there is any need to. We've troubleshooted many outages
> caused by customers limiting NS/NA to link-local or GUA, which may
> work and may stop working when one end changes.
>

Hi Ytti

I have been using prefixes but of course, I missed the obvious solution
here - matching on hop-limit 255.


> Robust and secure rule would be something like:
>
>             term icmp:nd {
>                 from {
>                     next-header icmp6;
>                     icmp-type [ router-solicit router-advertisement
> neighbor-solicit neighbor-advertisement ];
>                     hop-limit 255;
>                 }
>                 then {
>                     count icmp:nd;
>                     accept;
>                 }
>             }
>             term icmp {
>                 from {
>                     next-header icmp6;
>                     icmp-type [ echo-reply echo-request time-exceeded
> destination-unreachable packet-too-big parameter-problem ];
>                 }
>                 then {
>                     policer police_local;
>                     count icmp;
>                     accept;
>                 }
>             }
>
>

Thanks for this.

>


More information about the juniper-nsp mailing list