North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Using Policy Routing to stop DoS attacks
On Wed, 14 May 2003, Lars Higham wrote: > Sorry, > > I misunderstood the earlier question - > > >From the docs: > To enable unicast RPF check, include the unicast-reverse-path statement > at the [edit routing-options forwarding-table] hierarchy level: > [edit] routing-options { > forwarding-table{ > unicast-reverse-path (active-paths | feasible-paths); > } > } > yes, the config bits are on the website.... BUT, not the details of the implementation :) So, does uRPF on a juniper work the same as the cisco?? :) > Regards, > Lars Higham > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Christopher L. Morrow > Sent: Tuesday, May 13, 2003 2:00 AM > To: Stefan Mink > Cc: Haesu; [email protected]; [email protected] > Subject: Re: Using Policy Routing to stop DoS attacks > > > > > On Mon, 12 May 2003, Stefan Mink wrote: > > > On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote: > > > you could hold blackhole routes for these destinations in your route > table > > > (local or bgp) So long as the destination for the source is bad > (null for > > > instance) the traffic would get dropped. I believe the proper terms > from > > > cisco for this are: "So long as the adjacency is invalid" ... > > > > is there a way to make this source-blackhole-routing work > > on J's too (does this work with discard-routes too)? > > > > I believe someone from Juniper should likely answer this question :) As > I > understand the setup from a Cisco perspective (and someone from Cisco > can > correct me if I get it wrong). uRPF works in such a way that if the > source > address's destination has an invalid FIB entry (or no entry, or Null0) > the > packets are dropped. > > Perhaps Juniper implemented it this way? I have not checked anymore > closely than this. Sorry. :( > |