Internet2 Network Security SIG

[Michael Hare <>]

If we want to push GTSM, as a group may want to put pressure on Juniper to 
improve their implementation.  Last time I checked [14.x] it was an easy 
outbound toggle but inbound you have to manually change your input firewall 
filter to disallow BGP that is not TTL 255.   We use groups extensively so 
the worst outcome is that I've had to come up with a different input filter 
for internet facing connections, but for others I could see this being 
cumbsersome if they are not using groups.

-Michael

==/==

set firewall family inet filter antispoof-in-ttl-security apply-groups 
sync_fw-inet-ttl-security

m7h@r-uwmilwaukee-hub-re1# show groups sync_fw-inet-ttl-security 
firewall {
    family inet {
        filter <*> {
            term bgp {
                from {
                    protocol tcp;
                    ttl-except 255;
                    port 179;
                }
                then {
                    count :discard:tcp:bgp-ttl;
                    discard;
                }
            }
            term else {
                then next term;
            }
        }
    }
}


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of John Kristoff
Sent: Thursday, December 1, 2016 9:22 AM
To: 

Subject: Re: [Security-WG] I2 - Routing security survey results

On Thu, 1 Dec 2016 14:51:53 +0000
gcbrowni 
<>
 wrote:

> Based on the SHOULD/MUST column, it would seem that we should start
> with a discussion paper on filter BGP/tcp-179 and then maybe iBGP
> edge filtering? How’s that sound, or does anyone have some alternatre
> suggestions?

Sounds good to me.  It seems like GTSM is an easy win at IXes or p2p
links.  Perhaps we can add this as a third item on the todo list?  I'll
add this to our todo here locally where applicable.

John