> Of Saku Ytti > Sent: Wednesday, July 11, 2018 8:44 PM > > On Wed, 11 Jul 2018 at 22:26, Chris Morrow <morr...@ops-netman.net> > wrote: > > > > You might want "payload-protocol" for IPv6, except where you really > > > want "next-header". This is a case where there's not a definite > > > single functional mapping from IPv4 to IPv6. > > > > unclear why that's important here though? you MAY (and probably do) > > have different security requirements between the 2 families, right? so > > you're making a policy in ipv4 and you're making one in ipv6. > > Point probably is that if filter is as such > > a) allow smtp to permitted mx > b) drop all smtp > c) permit rest > > Then with 'payload-protocol' it works fine. With 'next-header' this filter is > trivial to by-pass, allowing sender to send email to any MX. > > However for lo0 filter it indeed does not matter, as you format should be > > a) permit specific thing1 > b) permit specific thingN > c) drop rest > > No way to bypass c), so immaterial if next-header (cheap) or payload- > protocol (expensive) is used. > -- Well yes but think about the 1st rule of thermodynamics, It almost seems like every single time someone looks at the RE filter he can spot yet another thing that's not quite kosher.
Take the BGP session filter for example, Yes allowing just destination port 172 and source port ephemeral is safe but you might not get your session up (not sure what the rule is? higher RID session is kept?) or configure it on two neighbouring routers and you'll never get the session up. adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
