[nsp-sec] Juniper uRPF to Blackhole
Chris Morrow
morrowc at ops-netman.net
Thu Mar 20 21:18:57 EDT 2008
On Thu, 20 Mar 2008, JR Mayberry wrote:
> ----------- nsp-security Confidential --------
>
>
> For some reason our Juniper people are telling us it is not possible to do
> uRPF type filtering using blackhole triggering. Specifically, as a loose
> mode configuration. We carry full routes on the network in question.
>
are you trying to inject null routes to block by source then?
> They are saying flowspec is the only option we have - but our blackhole
> routers are Cisco IOS based and don't support MP-BGP.
> This seems odd to me. Can anyone tell me (and show me w/ configs)
> otherwise?
junos (as of 7.0 atleast) seems to support loose-mode rpf-check:
user at rtr# set family inet rpf-check mode loose
Maybe because you have a route in the RIB it doesn't count for the RPF
check??
More information about the nsp-security
mailing list