[j-nsp] [EXT] Re: Decoding DDOS messages

Wed Mar 18 14:08:35 EDT 2020

On Wed, Mar 18, 2020 at 06:36:58PM +0200, Saku Ytti wrote:
> On Wed, 18 Mar 2020 at 18:30, John Kristoff <jtk at depaul.edu> wrote:
> 
> > Yep, I get all that.  I can tighten that up.  Care to show us how you
> > do loopback filters?
> 
> It is situational, it's hard to come up with one-size-fits-all. One
> approach would be basic skeleton, on top of which people then expand
> what they need, which would likely be also then broken. Another option
> would be to write exhaustive one, but exhaustive one necessarily has
> compromises, so then people who don't need everything still take those
> compromises.
> Really Juniper would be in the best position to automatically generate
> lo0 filter when none is provided, which would be really really good,
> not optimal, but really good. Bit of like generated-LPTS.

I disagree that they would be any good at it--it would likely be filled with the same holes as we've seen here given network vendors' poor history in this area (see bad filters taking out IS-IS, IPv6 ND, and NFS traffic on EX4500 switches for example).  As this thread points out, getting the filters right is hard.  If they were hardcoded by Juniper, that would just make them opaque and unchangeable.  We'd all benefit from much more transparency and sharing of experiences.

> I'm not sure if there is a utility in public template. But it's
> something that I do occasionally think about, not just Junos or just
> firewall, but also BGP, to show how to normalise BGP behaviour (no one
> knows what their BGP policy is very accurately, as in almost every
> case BGP policy is 'what ever is vendor default', and when you have
> multivendor network, you have different policy in different  devices).

The utility is in documenting best practices and concepts in how the public template works so that it can be adjusted as necessary.  Having something documented, then claiming "that is wrong" without providing concrete corrections/suggestions is not helpful, especially if everyone out there is using the CYMRU templates or the MX book because that is the best information available.