On Thu, 3 Jan 2019 at 22:23, Jason Lixfeld <[email protected]> wrote:
> If you match on specific source (and presumably specific destination) > addresses, why is a directionally agnostic port match bad? Or is it not so > much bad as it is being too lazy to create a second term or an established > filter/term? Because they can set SPORT==BGP and DPORT==SSH and hammer your SSH. > > c) always match destination-address if you're running L3 MPLS VPNs > > I must be misunderstanding because I’m sure you’re not suggesting that in the > absence of L3VPNs, omitting destination address matching is acceptable? I am suggesting that. If it's hitting control-plane it is coming to one of your local IP, which one it is, is not important from security POV. > > d) TCP when either end can initiate requires two terms > > As opposed to another filter or a single term matching established for > already specifically configured allow terms? As opposed to using 'port bgp' you need 'source-port bgp, destination-port ephemeral' and 'destination port bgp' > > e) have ultimate deny all rule > > > > On top of that, configure _every_ ddos-protection protocol. > > Assuming a policer falls into the category of ddos-protection protocol, what > sorts of others are you referring to? MX has specific configuration called 'ddos-protection' which covers many protocols L3 and others and is fixing the problem of one bad actor (one bad BGP session) causing collateral damage. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
