[j-nsp] [EXT] Re: Decoding DDOS messages
Saku Ytti
saku at ytti.fi
Wed Mar 18 14:24:08 EDT 2020
On Wed, 18 Mar 2020 at 20:09, Chuck Anderson <cra at wpi.edu> wrote:
> I disagree that they would be any good at it--it would likely be filled with the same holes as we've seen here given network vendors' poor history in this area (see bad filters taking out IS-IS, IPv6 ND, and NFS traffic on EX4500 switches for example). As this thread points out, getting the filters right is hard. If they were hardcoded by Juniper, that would just make them opaque and unchangeable. We'd all benefit from much more transparency and sharing of experiences.
Juniper has hidden group which is applied to your config, default lo0
filter could come from there, when not configured. And it could evolve
via JTAC. It can consume information no external site can consume.
--
++ytti
More information about the juniper-nsp
mailing list