On Wed, 14 May 2003, Lars Higham wrote:
Sorry,
I misunderstood the earlier question -
From the docs: To enable unicast RPF check, include the unicast-reverse-path statement at the [edit routing-options forwarding-table] hierarchy level: [edit] routing-options { forwarding-table{ unicast-reverse-path (active-paths | feasible-paths); } }
yes, the config bits are on the website.... BUT, not the details of the implementation :) So, does uRPF on a juniper work the same as the cisco?? :)
Regards, Lars Higham
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher L. Morrow Sent: Tuesday, May 13, 2003 2:00 AM To: Stefan Mink Cc: Haesu; jtk@aharp.is-net.depaul.edu; nanog@merit.edu Subject: Re: Using Policy Routing to stop DoS attacks
On Mon, 12 May 2003, Stefan Mink wrote:
On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote:
you could hold blackhole routes for these destinations in your route table (local or bgp) So long as the destination for the source is bad (null for instance) the traffic would get dropped. I believe the proper terms from cisco for this are: "So long as the adjacency is invalid" ...
is there a way to make this source-blackhole-routing work on J's too (does this work with discard-routes too)?
I believe someone from Juniper should likely answer this question :) As I understand the setup from a Cisco perspective (and someone from Cisco can correct me if I get it wrong). uRPF works in such a way that if the source address's destination has an invalid FIB entry (or no entry, or Null0) the packets are dropped.
Perhaps Juniper implemented it this way? I have not checked anymore closely than this. Sorry. :(