Internet2 Network Security SIG

[Brad Fleming <>]

Agreed. The Juniper implementation for actually enforcing this feature on inbound packets is annoying and tedious at best. Both Cisco and Brocade are one-line configurations I believe (not sure about other platforms).

We also use groups pretty extensively but found that using the filter-list feature works well enough. Not pretty by any means but at least allows us to use a standard group while retaining the ability to apply a peer-specific filter with GTSM (among other things if we wish). Still seems like too many hoops and fragility for a simple feature IMHO. Here’s one where we do GTSM:

bdfleming@RouterOfDoom> show configuration interfaces interface.####

apply-groups standard-lateral-peer;

description “Some Peer";

family inet {

    mtu 9000;

    filter {

        input-list v4-in-lateral-peer-specific-example;

    }

    address 192.168.1.1/30;

}

bdfleming@RouterOfDoom> show configuration groups standard-lateral-peer interfaces <*> unit <*> family inet filter

input-list v4-in-lateral-peer;

output-list v4-out-lateral-peer;

bdfleming@RouterOfDoom> show configuration firewall family inet filter v4-in-lateral-peer-specific-example

term accept-gtsm-bgp {

    from {

        protocol tcp;

        ttl-except 255;

        port bgp;

    }

    then {

        count “Bad BGP TTL";

        discard;

    }

}

And the result is:

bdfleming@RouterOfDoom> show configuration interfaces interface.#### | display inheritance no-comments

description “Some Peer";

family inet {

    mtu 9000;

    filter {

        input-list [ v4-in-lateral-peer-specific-example v4-in-lateral-peer ];

        output-list [ v4-out-lateral-peer v4-out-upstream-peer ];

    }

    sampling {

        input;

    }

    address 164.113.216.105/30;

}

On Dec 1, 2016, at 10:03 AM, Michael Hare <> wrote:

If we want to push GTSM, as a group may want to put pressure on Juniper to improve their implementation.  Last time I checked [14.x] it was an easy outbound toggle but inbound you have to manually change your input firewall filter to disallow BGP that is not TTL 255.   We use groups extensively so the worst outcome is that I've had to come up with a different input filter for internet facing connections, but for others I could see this being cumbsersome if they are not using groups.

-Michael

==/==

set firewall family inet filter antispoof-in-ttl-security apply-groups sync_fw-inet-ttl-security

m7h@r-uwmilwaukee-hub-re1# show groups sync_fw-inet-ttl-security
firewall {
   family inet {
       filter <*> {
           term bgp {
               from {
                   protocol tcp;
                   ttl-except 255;
                   port 179;
               }
               then {
                   count :discard:tcp:bgp-ttl;
                   discard;
               }
           }
           term else {
               then next term;
           }
       }
   }
}


-----Original Message-----
From: [] On Behalf Of John Kristoff
Sent: Thursday, December 1, 2016 9:22 AM
To:
Subject: Re: [Security-WG] I2 - Routing security survey results

On Thu, 1 Dec 2016 14:51:53 +0000
gcbrowni <> wrote:

Based on the SHOULD/MUST column, it would seem that we should start
with a discussion paper on filter BGP/tcp-179 and then maybe iBGP
edge filtering? How’s that sound, or does anyone have some alternatre
suggestions?

Sounds good to me.  It seems like GTSM is an easy win at IXes or p2p
links.  Perhaps we can add this as a third item on the todo list?  I'll
add this to our todo here locally where applicable.

John