Internet2 Network Security SIG

[gcbrowni <>]

Thanks for the assist! 

I’ve gone ahead and incorporated the suggestions. I’ll leave the topic open 
for about another week, and then begin work on getting it posted and move on 
to the next topic area. And, of course, none of this is static. We can make 
changes in the future as well.

-G



> On Dec 13, 2016, at 1:59 PM, Andrew Gallo 
> <>
>  wrote:
> 
> Good doc.
> 
> few comments on the Junos section:
> 
> The firewall filter config starts at the 'term' level.  It might make the 
> config a bit clearer to include the next higher level 'input-strict-in'
> 
>> prefix-list BGP-PEERS {
>>    apply-path "protocols bgp group <*> neighbor <*>";
>> }
>> 
>> lo0 {
>>  unit 0 {
>>    family inet {
>>        filter {
>>            input-list input-strict-in;
>>            }
>>        }
>>    family inet6 {
>>        filter {
>>            input-list input-strict-in;
>>            }
>>        }
>>    }
>> }
>> 
>> 
>> filter input-strict-in {
>>    term allow-bgp {
>>        from {
>>            source-prefix-list {
>>                BGP-PEERS;
>>            }
>>            protocol tcp;
>>            port bgp;
>>        }
>>        then accept;
>>    }
>>    <additional terms>
>> }
> 
> (couple of other changes: changed the name of the prefix to match what is 
> in the filter; changed interface syntax to 'input-list'; changed port from 
> numeric to bgp; added family inet6 to the interface)
> 
> 
> 
> 
> On 12/13/2016 12:23 PM, gcbrowni wrote:
>> Folks,
>> 
>> I’ve worked up a draft document in google doc, trying to incorporate the 
>> feedback from the suvery and mailing list It’s at:
>> https://docs.google.com/document/d/1ewqrBGqsNDs_zcRIxGl7uGyGCXBJDuNs-LR5XIMy6ac/edit?usp=sharing
>>  
>> <https://docs.google.com/document/d/1ewqrBGqsNDs_zcRIxGl7uGyGCXBJDuNs-LR5XIMy6ac/edit?usp=sharing>
>> 
>> I’d appreciate feedback. The idea would be to have a web page on the I2 
>> site that has a kind of general overview, and then a bunch of sub-pages on 
>> individual topics. This would be the first of those individual topics. So, 
>> more web pag'y and less pdf’y.
>> 
>> In particular someone looking over the Cisco configs would be appreciated. 
>> It’s been awhile for me and, frankly, the implementation of filtering 
>> tcp/179 on Cisco devices seems a lot clunkier than either Juniper or 
>> Brocade … making me wonder if I’m missing something. IE: it has to be 
>> applied to every interface, as I understand it, because there is no 
>> control plane interface (like on a Juniper) or control plane access list 
>> (like on a Brocade.)
>> 
>> Getting us a contact in Cisco to work with would also seem like a great 
>> idea.
>> 
>> Anyway, thoughts? Comments?
>> 
>> (once this is do a good point we’ll get it posted and move on to the next 
>> topic from the survey.)
>> -G
> 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature