[j-nsp] Decoding DDOS messages
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Mon Mar 23 00:57:13 EDT 2020
> Saku Ytti
> Sent: Wednesday, March 18, 2020 4:37 PM
>
> On Wed, 18 Mar 2020 at 18:30, John Kristoff <jtk at depaul.edu> wrote:
>
> > Yep, I get all that. I can tighten that up. Care to show us how you
> > do loopback filters?
>
> Really Juniper would be in the best position to automatically generate
> lo0 filter when none is provided, which would be really really good, not
> optimal, but really good. Bit of like generated-LPTS.
>
That, but most importantly separate control-plane and management-plane
security like in XR.
If one could do this in Junos:
XR-example: control-plane management-plane inband interface xxxxxxx allow
SSH
-listing only my core facing and/or oob mgmt ports.
Then it would not matter that operator's iACL or lo0 filter has holes
(allowing ssh from BGP source port).
adam
More information about the juniper-nsp
mailing list