Exactly that Sandy. Thanks :) Loose uRPF checks for a route back to the source of any packet arriving on an interface it is configured on, but in most implementations if that route back is actually to null it will drop the packet. We used this for years on our old Brocade platform and it was really handy being able to inject anything at the ExaBGP level to block both source and destination across the entire edge. We have a feature request in for Arista as loose uRPF doesn’t work the same way to make this useful; I would expect (but don’t know) JunOS to be relatively sane. W
On Thu, May 31, 2018 at 11:58, Sandy Breeze <[email protected]> wrote: Hi Paul, Rich, I presume Simon meant that if you in some way injected /reflected your bogon feed prefixes into your network with a next-hop that is routed to null, then loose uRPF on your peering edge should drop anything arriving on those interfaces which is (recursively) destined to null. Sandy From: uknof <[email protected]> on behalf of Richard Halfpenny <[email protected]> Sent: Thursday, May 31, 2018 1:50:08 PM To: Simon Woodhead Cc: Paul Thornton; [email protected] Subject: Re: [uknof] JUNOS filter hackery Hi Paul, Flowspec and ExaBGP? You probably can get JUNOS to build dynamically but have never tried that specific case.. the most we do is to have a commit script that searches for all BGP peer addresses and then opens them up automatically on the control plane filter. I doubt you could get it to change on every routing update change (e.g. only during config commit) as that would lead to a possible control plane DoS situation from a flood of updates. Rich. Network Engineering Manager Exa Networks Ltd :: AS30740 [email protected] [[email protected]] On 31 May 2018 at 11:37, Simon Woodhead < [email protected] [[email protected]] > wrote: Hi Paul Loose uRPF and ExaBGP are your friends here presuming uRPF behaves the same on Junos as others. W -- SIMON WOODHEAD Founder and CEO [email protected] [[email protected]] [[email protected]][[email protected]] +44 330 122 3000 www.simwood.com [https://www.simwood.com] [https://www.simwood.com] Simwood eSMS Limited , Simwood House, Cube M4 Business Park, Old Gloucester Road, Bristol, BS16 1FX, United Kingdom Registered in England 03379831 Simwood Inc. , 301 Union St. #21445, Seattle, WA 98111, United States [https://maps.google.com/?q=301+Union+St.+%2321445,+Seattle,+WA+98111,+United+States&entry=gmail&source=g] On Thu, May 31, 2018 at 11:31, Paul Thornton < [email protected] [[email protected]] > wrote: Hi folks, I'm wondering if it is possible to dynamically build a firewall filter from routes learned via BGP, based on a community or just routes learned from a peer. The use case here is to take a Team Cymru BGP bogons feed and build a "deny anything from these sources" firewall that can then be applied to both customer and peer interfaces. This could, of course, be scripted but I'm wondering if there isn't some kind of magic that we can use to get the router to do it natively. Thanks Paul. -- Paul Thornton
