[nsp-sec] Juniper uRPF to Blackhole
JR Mayberry
mayberry at jupiter.loonybin.net
Fri Mar 21 11:40:48 EDT 2008
Isn't anyone actually using the feature and can speak to whether it works
like Cisco or not?
On Fri, 21 Mar 2008, Chris Morrow wrote:
>
>
> On Thu, 20 Mar 2008, JR Mayberry wrote:
>
>> ----------- nsp-security Confidential --------
>>
>>
>> For some reason our Juniper people are telling us it is not possible to do
>> uRPF type filtering using blackhole triggering. Specifically, as a loose
>> mode configuration. We carry full routes on the network in question.
>>
>
> are you trying to inject null routes to block by source then?
>
>> They are saying flowspec is the only option we have - but our blackhole
>> routers are Cisco IOS based and don't support MP-BGP.
>> This seems odd to me. Can anyone tell me (and show me w/ configs)
>> otherwise?
>
> junos (as of 7.0 atleast) seems to support loose-mode rpf-check:
>
> user at rtr# set family inet rpf-check mode loose
>
> Maybe because you have a route in the RIB it doesn't count for the RPF
> check??
>
More information about the nsp-security
mailing list