[nsp-sec] Juniper uRPF to Blackhole
Smith, Donald
Donald.Smith at qwest.com
Fri Mar 21 13:34:26 EDT 2008
I haven't tried this but recall juniper telling us that a blackhole route to discard would cause a "zero" response from the fib check so even with FULL routes a more specific route to discard and loose mode urpf should still allow you to blackhole a cidr block including rfc1918 space.
Can someone from juniper confirm this?
If this is correct in what version of JUNOS is this supported?
donald.smith at qwest.com giac
________________________________
From: nsp-security-bounces at puck.nether.net on behalf of Sebastian Abt
Sent: Fri 3/21/2008 11:16 AM
To: JR Mayberry
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Juniper uRPF to Blackhole
----------- nsp-security Confidential --------
* JR Mayberry wrote:
> Isn't anyone actually using the feature and can speak to whether it
> works like Cisco or not?
In uRPF loose-mode Juniper only checks whether an entry for the given
prefix exists in the RIB; if that's the case, the packet is accepted -
even if the next-hop for the prefix is discard. At least that's what I
remember when I tried to configure this some time ago..
So, yes, I guess your colleagues are right and this behaviour differs
from Cisco's - unfortunately.
regards,
sebastian
--
fon: +49 69 95411 15 e-mail: sa at rh-tec.de
fax: +49 69 95411 45 mobile: +49 69 95411 55
rh-tec Business GmbH, http://www.rh-tec.de/
Grosser Heidkamp 8, 32549 Bad Oeynhausen
Geschaeftsfuehrer: Gerhard Roehrmann
Registergericht: AG Bad Oeynhausen, HRB 8112
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list