[nsp-sec] Juniper uRPF to Blackhole

Sat Mar 22 20:29:00 EDT 2008

works for us as far as I can tell.  Bgp routes with a nexthop that is null equiv work just like on our ciscos.

John Fraizer
Senior Internetworking Engineer
NOC Engineering
NuVox Communications, Inc
(864)331-7575 work
-Sent from my Treo SmartPhone
-----Original Message-----
From: JR Mayberry <mayberry at jupiter.loonybin.net>
Date: Friday, Mar 21, 2008 11:43 am
Subject: Re: [nsp-sec] Juniper uRPF to Blackhole
To: Chris Morrow <morrowc at ops-netman.net>
CC: nsp-security at puck.nether.net

----------- nsp-security Confidential --------
>
>
>Isn't anyone actually using the feature and can speak to whether it works 
>like Cisco or not?
>
>
>On Fri, 21 Mar 2008, Chris Morrow wrote:
>
>>
>
>> On Thu, 20 Mar 2008, JR Mayberry wrote:
>
>>> ----------- nsp-security Confidential --------
>> 
>> 
>> For some reason our Juniper people are telling us it is not possible to do
>> uRPF type filtering using blackhole triggering. Specifically, as a loose
>> mode configuration. We carry full routes on the network in question.
>> 
>
>> are you trying to inject null routes to block by source then?
>
>>> They are saying flowspec is the only option we have - but our blackhole
>> routers are Cisco IOS based and don't support MP-BGP.
>> This seems odd to me. Can anyone tell me (and show me w/ configs)
>> otherwise?
>
>> junos (as of 7.0 atleast) seems to support loose-mode rpf-check:
>
>> user at rtr# set family inet rpf-check mode loose
>
>> Maybe because you have a route in the RIB it doesn't count for the RPF 
> check??
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>_______________________________________________
>