On Thu, 15 Oct 2020 at 17:49, Ryan Hamel <ryan@rkhtech.org> wrote:
So you're dropping in every edge all UDP packets towards these three ports? Your customers may not appreciate. You must not be familiar with JUNOS' ACL handling. This would be applied to interface lo0, which is specifically for control planes. No data plane traffic to customers would be hit.
I'm sure there are some gaps in knowledge at play here. There are many reasons why packets hit the control-plane and not be subject to lo0 filter, for example TTL expiry. Also, as I tried to communicate with little success, BFD is implemented in NPU ucode and you are subjected to NPU ucode bugs. The bug I'm talking about, does not require you using or configuring BFD, it just needs NPU to parse it, and your FPC is gone. Same deal with Cisco issue I'm talking about. I've not yet seen single non-broken junos control-plane protection, everyone has terribly poorly written lo0 filters, no one has any idea how to configure ddos-protection. If you some canonical sources to do this, like Cymru or Juniper's MX book as source, you'll get it all wrong, as they both contain trivial and naive errors. But if you do manage to configure lo0 and ddos-protection correctly, you're still exposed to wide array of packet-of-death style vectors. Just yesterday on Junos SIRT-day bug where your KRT will become wedged if you sample (IPFIX) specifically crafted packet, this will be transit packet. Problems become increasingly simple the less you understand them. -- ++ytti