Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - draft of "filtering tcp/179" paper

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - draft of "filtering tcp/179" paper


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] I2 - draft of "filtering tcp/179" paper
  • Date: Tue, 13 Dec 2016 13:59:38 -0500
  • Ironport-phdr: 9a23:eiI/MBIev6NnUznqzNmcpTZWNBhigK39O0sv0rFitYgeLv/xwZ3uMQTl6Ol3ixeRBMOAuqkC1bad7viocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDSwbalzIRi5ogncttUaipZ+J6gszRfEvmFGcPlMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLDQheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2TxDmlToHNyUh8G7JlsNwkKxVoBWkpxNlwo7UZpyeOP5xc67ZeN8XQ3dKUMRMWCxbGo6ycpUBD+QBM+hboYfyqVQBohmiCgS3C+Pj1iVFi2Pq0aA00eksFxzN0gw6H9IJtXTZtMn4NKEPXuCv0qbJwyjIYfJM1jf57IjIdQ0qrPaWUrJ/a8XRzU0vFwTeg1qOrIzqJTKV1uAXv2iU4etgSPijhHA6pAFsuzWiwNonhIfOhoIQ0F/E9CN5zZ46Jd2/T057btqkH4VKuy6GMIt2R8UvSHxrtiYi0rAKpIC3cSsQxJg6xhPSZOaLfouU7h75SeqcLyl0iGp4dL6hhBu+61Wsx+zzW8WuzVpHoDBJnsfKu3sQzRLc8NKHReF4/kq52TaAyQTT6uZcLEAxj6XbKpohwqYqlpUOv0TMBTL6lFztjK+TakUk4vKk5Pr8Yrn8qZ+dOZJ0hhvgPaszh8yzGeU4Mg4QUGiH4emwyaPv8E7jTLlXj/A7nbPVvZPGKcgBu6K0DRFZ3p4m6xmlDjem1NoYnWMALFJAYB+IlYfpNEvKIPD8CveymEqjkDJxyPDHOr3tGJrNL3bekLv7Y7ly9lNcxBIpzd9D/5JUFq0BIPXrV0/qqtPXEgI5Mxa1w+b7CNRxz40fWW2UD6+dMaPSqkOI5vkxL+WWZY8Vvir9JOY/5/7ok3A5hUERcbO30pQKdXDrVshhdl6Uamf2g8sQVHgFlgs4UOHwjlCeC3hea2vhcbg742QSDo68AJiLaYmphLvJiC60F5lSYUhLD1mNFTHnaJjCVvsRPnHBavR9myAJAODyA7Qq0guj4VOrxg==

Good doc.

few comments on the Junos section:

The firewall filter config starts at the 'term' level. It might make the config a bit clearer to include the next higher level 'input-strict-in'

prefix-list BGP-PEERS {
apply-path "protocols bgp group <*> neighbor <*>";
}

lo0 {
unit 0 {
family inet {
filter {
input-list input-strict-in;
}
}
family inet6 {
filter {
input-list input-strict-in;
}
}
}
}


filter input-strict-in {
term allow-bgp {
from {
source-prefix-list {
BGP-PEERS;
}
protocol tcp;
port bgp;
}
then accept;
}
<additional terms>
}

(couple of other changes: changed the name of the prefix to match what is in the filter; changed interface syntax to 'input-list'; changed port from numeric to bgp; added family inet6 to the interface)




On 12/13/2016 12:23 PM, gcbrowni wrote:
Folks,

I’ve worked up a draft document in google doc, trying to incorporate the
feedback from the suvery and mailing list It’s at:
https://docs.google.com/document/d/1ewqrBGqsNDs_zcRIxGl7uGyGCXBJDuNs-LR5XIMy6ac/edit?usp=sharing

<https://docs.google.com/document/d/1ewqrBGqsNDs_zcRIxGl7uGyGCXBJDuNs-LR5XIMy6ac/edit?usp=sharing>

I’d appreciate feedback. The idea would be to have a web page on the I2 site
that has a kind of general overview, and then a bunch of sub-pages on
individual topics. This would be the first of those individual topics. So,
more web pag'y and less pdf’y.

In particular someone looking over the Cisco configs would be appreciated.
It’s been awhile for me and, frankly, the implementation of filtering tcp/179
on Cisco devices seems a lot clunkier than either Juniper or Brocade … making
me wonder if I’m missing something. IE: it has to be applied to every
interface, as I understand it, because there is no control plane interface
(like on a Juniper) or control plane access list (like on a Brocade.)

Getting us a contact in Cisco to work with would also seem like a great idea.

Anyway, thoughts? Comments?

(once this is do a good point we’ll get it posted and move on to the next
topic from the survey.)
-G


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page