[58435] in North American Network Operators' Group
RE: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed May 14 00:07:25 2003
Date: Wed, 14 May 2003 04:06:45 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Lars Higham <lhigham@communicationsmanagement.com>
Cc: 'Stefan Mink' <mink@schlund.net>, 'Haesu' <haesu@towardex.com>,
jtk@aharp.is-net.depaul.edu, nanog@merit.edu
In-Reply-To: <C92C189707AE2744BAC246C7DCC06D48CDD0CB@ggnu208a.ggn.spcnl.co.in>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 14 May 2003, Lars Higham wrote:
> Sorry,
>
> I misunderstood the earlier question -
>
> >From the docs:
> To enable unicast RPF check, include the unicast-reverse-path statement
> at the [edit routing-options forwarding-table] hierarchy level:
> [edit] routing-options {
> forwarding-table{
> unicast-reverse-path (active-paths | feasible-paths);
> }
> }
>
yes, the config bits are on the website.... BUT, not the details of the
implementation :) So, does uRPF on a juniper work the same as the cisco??
:)
> Regards,
> Lars Higham
>
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
> Christopher L. Morrow
> Sent: Tuesday, May 13, 2003 2:00 AM
> To: Stefan Mink
> Cc: Haesu; jtk@aharp.is-net.depaul.edu; nanog@merit.edu
> Subject: Re: Using Policy Routing to stop DoS attacks
>
>
>
>
> On Mon, 12 May 2003, Stefan Mink wrote:
>
> > On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote:
> > > you could hold blackhole routes for these destinations in your route
> table
> > > (local or bgp) So long as the destination for the source is bad
> (null for
> > > instance) the traffic would get dropped. I believe the proper terms
> from
> > > cisco for this are: "So long as the adjacency is invalid" ...
> >
> > is there a way to make this source-blackhole-routing work
> > on J's too (does this work with discard-routes too)?
> >
>
> I believe someone from Juniper should likely answer this question :) As
> I
> understand the setup from a Cisco perspective (and someone from Cisco
> can
> correct me if I get it wrong). uRPF works in such a way that if the
> source
> address's destination has an invalid FIB entry (or no entry, or Null0)
> the
> packets are dropped.
>
> Perhaps Juniper implemented it this way? I have not checked anymore
> closely than this. Sorry. :(
>
