On Tue, 19 Jun 2018 at 18:03, Saku Ytti <[email protected]> wrote: > from { > source-prefix-list { > rsvp_neighbors; > } > protocol udp; > destination-port 8503; > } >
Oh, I need to add one important thing. RFC mandates that SPORT is ephemeral, but JNPR uses 8503 (against RFC). If you're like me, you build strict lo0 filters as strict as RFC allows, and in this case it would not work, as 'source-port <ephemeral>' would not match the incoming packet. I think JNPR implementation is better than RFC, and I'd like errata happen on the RFC. 8503<->8503 is more desirable than ephemeral<->8503. But you should be defensive and accept at least ephemeral + 8503 as source port, so that it doesn't break if JNPR implementation starts to follow RFC. Usually there are no security implications omitting source-port match (but never omit destination-port match, even source is strictly known). -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
