Re: [j-nsp] IPv6 firewall policy for MX
>
>
>
> > I think you need to take some time to understand IPv6 before
> implementing.
> > The book examples don't restrict RS/RA to link local, are too open on
> > things like BGP and traceroute. Trio hardware also has payload-protocol
> > available in addition to next-header for matching.
>
> I don't think there is any need to. We've troubleshooted many outages
> caused by customers limiting NS/NA to link-local or GUA, which may
> work and may stop working when one end changes.
>
Hi Ytti
I have been using prefixes but of course, I missed the obvious solution
here - matching on hop-limit 255.
> Robust and secure rule would be something like:
>
> term icmp:nd {
> from {
> next-header icmp6;
> icmp-type [ router-solicit router-advertisement
> neighbor-solicit neighbor-advertisement ];
> hop-limit 255;
> }
> then {
> count icmp:nd;
> accept;
> }
> }
> term icmp {
> from {
> next-header icmp6;
> icmp-type [ echo-reply echo-request time-exceeded
> destination-unreachable packet-too-big parameter-problem ];
> }
> then {
> policer police_local;
> count icmp;
> accept;
> }
> }
>
>
Thanks for this.
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 firewall policy for MX
Hey Lee,
> I think you need to take some time to understand IPv6 before implementing.
> The book examples don't restrict RS/RA to link local, are too open on
> things like BGP and traceroute. Trio hardware also has payload-protocol
> available in addition to next-header for matching.
I don't think there is any need to. We've troubleshooted many outages
caused by customers limiting NS/NA to link-local or GUA, which may
work and may stop working when one end changes.
Robust and secure rule would be something like:
term icmp:nd {
from {
next-header icmp6;
icmp-type [ router-solicit router-advertisement
neighbor-solicit neighbor-advertisement ];
hop-limit 255;
}
then {
count icmp:nd;
accept;
}
}
term icmp {
from {
next-header icmp6;
icmp-type [ echo-reply echo-request time-exceeded
destination-unreachable packet-too-big parameter-problem ];
}
then {
policer police_local;
count icmp;
accept;
}
}
--
++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 firewall policy for MX
It's a good start but there are many issues with it. I think you need to take some time to understand IPv6 before implementing. The book examples don't restrict RS/RA to link local, are too open on things like BGP and traceroute. Trio hardware also has payload-protocol available in addition to next-header for matching. The IETF opsec-v6 draft is a useful resource to begin with https://datatracker.ietf.org/doc/draft-ietf-opsec-v6/ On Fri, 28 Jun 2019, 20:28 Aaron Gould, wrote: > 2nd edition page 332 "IPv6 RE Protection Filter" > > -Aaron > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 firewall policy for MX
2nd edition page 332 "IPv6 RE Protection Filter" -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 firewall policy for MX
Hi, > Is there a good online resource for IPv6 firewall policy/hardening for MX > series routers? I would start with the IPv6 filter example starting on page 336 of Juniper MX Series, 2nd Edition (ISBN: 978-1-4919-3272-8). There are eBook versions available, and o'Reilly Safari gives you online access. See https://www.juniper.net/us/en/training/jnbooks/oreilly-juniper-library/mx-series/. If you have the 1st edition it should be around page 260. Cheers, Sander signature.asc Description: Message signed with OpenPGP ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPv6 firewall policy for MX
Is there a good online resource for IPv6 firewall policy/hardening for MX series routers? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
