RE: Using Policy Routing to stop DoS attacks
On Wed, 14 May 2003, Lars Higham wrote:
Sorry,
I misunderstood the earlier question -
From the docs: To enable unicast RPF check, include the unicast-reverse-path statement at the [edit routing-options forwarding-table] hierarchy level: [edit] routing-options { forwarding-table{ unicast-reverse-path (active-paths | feasible-paths); } }
yes, the config bits are on the website.... BUT, not the details of the implementation :) So, does uRPF on a juniper work the same as the cisco?? :)
Regards, Lars Higham
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher L. Morrow Sent: Tuesday, May 13, 2003 2:00 AM To: Stefan Mink Cc: Haesu; jtk@aharp.is-net.depaul.edu; nanog@merit.edu Subject: Re: Using Policy Routing to stop DoS attacks
On Mon, 12 May 2003, Stefan Mink wrote:
you could hold blackhole routes for these destinations in your route
On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote: table
(local or bgp) So long as the destination for the source is bad (null for instance) the traffic would get dropped. I believe the proper terms from cisco for this are: "So long as the adjacency is invalid" ...
is there a way to make this source-blackhole-routing work on J's too (does this work with discard-routes too)?
I believe someone from Juniper should likely answer this question :) As I understand the setup from a Cisco perspective (and someone from Cisco can correct me if I get it wrong). uRPF works in such a way that if the source address's destination has an invalid FIB entry (or no entry, or Null0) the packets are dropped.
Perhaps Juniper implemented it this way? I have not checked anymore closely than this. Sorry. :(
participants (1)
-
Christopher L. Morrow