[j-nsp] Decoding DDOS messages

Saku Ytti saku at ytti.fi
Wed Mar 18 12:36:58 EDT 2020


On Wed, 18 Mar 2020 at 18:30, John Kristoff <jtk at depaul.edu> wrote:

> Yep, I get all that.  I can tighten that up.  Care to show us how you
> do loopback filters?

It is situational, it's hard to come up with one-size-fits-all. One
approach would be basic skeleton, on top of which people then expand
what they need, which would likely be also then broken. Another option
would be to write exhaustive one, but exhaustive one necessarily has
compromises, so then people who don't need everything still take those
compromises.
Really Juniper would be in the best position to automatically generate
lo0 filter when none is provided, which would be really really good,
not optimal, but really good. Bit of like generated-LPTS.

I'm not sure if there is a utility in public template. But it's
something that I do occasionally think about, not just Junos or just
firewall, but also BGP, to show how to normalise BGP behaviour (no one
knows what their BGP policy is very accurately, as in almost every
case BGP policy is 'what ever is vendor default', and when you have
multivendor network, you have different policy in different  devices).




-- 
  ++ytti


More information about the juniper-nsp mailing list