[nsp-sec] Juniper uRPF to Blackhole
Nic Tjirkalli
nic.tjirkalli at za.verizonbusiness.com
Sun Mar 23 02:25:31 EDT 2008
Howdy ho,
> ----------- nsp-security Confidential --------
>
> works for us as far as I can tell. Bgp routes with a nexthop that is null equiv work just like on our ciscos.
In the Juniper implementation, is tarffic that is either sourced or
destined to the prefix that has a next hop of null equivalent dropped or
just traffic to thet is destined to the prefix with a bgp null equivalent
dropped?
tahnx
>
>
> John Fraizer
> Senior Internetworking Engineer
> NOC Engineering
> NuVox Communications, Inc
> (864)331-7575 work
> -Sent from my Treo SmartPhone
> -----Original Message-----
> From: JR Mayberry <mayberry at jupiter.loonybin.net>
> Date: Friday, Mar 21, 2008 11:43 am
> Subject: Re: [nsp-sec] Juniper uRPF to Blackhole
> To: Chris Morrow <morrowc at ops-netman.net>
> CC: nsp-security at puck.nether.net
>
> ----------- nsp-security Confidential --------
>>
>>
>> Isn't anyone actually using the feature and can speak to whether it works
>> like Cisco or not?
>>
>>
>> On Fri, 21 Mar 2008, Chris Morrow wrote:
>>
>>>
>>
>>> On Thu, 20 Mar 2008, JR Mayberry wrote:
>>
>>>> ----------- nsp-security Confidential --------
>>>
>>>
>>> For some reason our Juniper people are telling us it is not possible to do
>>> uRPF type filtering using blackhole triggering. Specifically, as a loose
>>> mode configuration. We carry full routes on the network in question.
>>>
>>
>>> are you trying to inject null routes to block by source then?
>>
>>>> They are saying flowspec is the only option we have - but our blackhole
>>> routers are Cisco IOS based and don't support MP-BGP.
>>> This seems odd to me. Can anyone tell me (and show me w/ configs)
>>> otherwise?
>>
>>> junos (as of 7.0 atleast) seems to support loose-mode rpf-check:
>>
>>> user at rtr# set family inet rpf-check mode loose
>>
>>> Maybe because you have a route in the RIB it doesn't count for the RPF
>> check??
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
---------------------------------------------------------------------
I don't work here. I'm a consultant.
Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team
Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.
Company Information:http:// www.verizonbusiness.com/za/contact/legal/
This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.
More information about the nsp-security
mailing list