[nsp-sec] Juniper uRPF to Blackhole

Smith, Donald Donald.Smith at qwest.com
Sun Mar 23 13:55:00 EDT 2008 

We are not doing source based black holes but we do destination based black holes on junipers and have for years.
 
donald.smith at qwest.com giac

________________________________

From: nsp-security-bounces at puck.nether.net on behalf of Nic Tjirkalli
Sent: Sun 3/23/2008 12:25 AM
To: John Fraizer
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Juniper uRPF to Blackhole



----------- nsp-security Confidential --------

Howdy ho,

> ----------- nsp-security Confidential --------
>
> works for us as far as I can tell.  Bgp routes with a nexthop that is null equiv work just like on our ciscos.
In the Juniper implementation, is tarffic that is either sourced or
destined to the prefix that has a next hop of null equivalent dropped or
just traffic to thet is destined to the prefix with a bgp null equivalent
dropped?

tahnx

>
>
> John Fraizer
> Senior Internetworking Engineer
> NOC Engineering
> NuVox Communications, Inc
> (864)331-7575 work
> -Sent from my Treo SmartPhone
> -----Original Message-----
> From: JR Mayberry <mayberry at jupiter.loonybin.net>
> Date: Friday, Mar 21, 2008 11:43 am
> Subject: Re: [nsp-sec] Juniper uRPF to Blackhole
> To: Chris Morrow <morrowc at ops-netman.net>
> CC: nsp-security at puck.nether.net
>
> ----------- nsp-security Confidential --------
>>
>>
>> Isn't anyone actually using the feature and can speak to whether it works
>> like Cisco or not?
>>
>>
>> On Fri, 21 Mar 2008, Chris Morrow wrote:
>>
>>>
>>
>>> On Thu, 20 Mar 2008, JR Mayberry wrote:
>>
>>>> ----------- nsp-security Confidential --------
>>>
>>>
>>> For some reason our Juniper people are telling us it is not possible to do
>>> uRPF type filtering using blackhole triggering. Specifically, as a loose
>>> mode configuration. We carry full routes on the network in question.
>>>
>>
>>> are you trying to inject null routes to block by source then?
>>
>>>> They are saying flowspec is the only option we have - but our blackhole
>>> routers are Cisco IOS based and don't support MP-BGP.
>>> This seems odd to me. Can anyone tell me (and show me w/ configs)
>>> otherwise?
>>
>>> junos (as of 7.0 atleast) seems to support loose-mode rpf-check:
>>
>>> user at rtr# set family inet rpf-check mode loose
>>
>>> Maybe because you have a route in the RIB it doesn't count for the RPF
>> check??
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>


---------------------------------------------------------------------
I don't work here.  I'm a consultant.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// <http:///>  www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________




This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list