Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.


Chronological Thread 
  • From: Michael Hare <>
  • To: "" <>
  • Subject: RE: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.
  • Date: Thu, 19 Jan 2017 15:45:44 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:CEtQyBds2hHAfgG8kjchdTqmlGMj4u6mDksu8pMizoh2WeGdxcW7bR7h7PlgxGXEQZ/co6odzbGH7+a8ACdfut6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52Ixi6twrcutQZjYZgJKs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzoBOjUk8m/Yl9ZwgbpVrhyhuhJwwY/Ubp+WOvpicKPQZskVSXZdUsZVSyBNHoGxYo0SBOQBJ+ZYqIz9qkMJoxu/GQasBPngxSFMhnTr36M1yf4hHh/b1wEnGtIOsWjbrNXvO6gMVeC51qnIwi/Zb/xIwjr85onIcgs9rv2WQ71/bNfRxFApGgjYgFuQronlMCmU1uQLq2Wb7uxgVf6xhG49rQF+vCSvytk2hobXm40V11bJ/jh6zoYtPdC0VUF2bNG+HJZUqS2WLZZ6T8cgTm1ypio21LwLtYalcCUL1JgqxRvSa/KJfoWL4R/uUfieLDJliH55ZL6yggy9/Eu9xeLhU8S03ktGoTdbntTJqHwA1wfc58aCR/Rg/kqtxSuD2xjN5u1YI004j6XWJp87zrItl5cev17PEyD1lUjwkaSYbF8r+vKy5OTierjmpoGTN4tzigzmKaQun9C/AfwiPQgTQ2ib+eqx2Kft/E34W7VFkvg2nbPYsJDeP8gaqK+5AxRJ3Yo59RmwEiqm3MwZnXkBMl1FZAqKg5XmNlzBOvz1Cemzj06xnDpvxf3KJKPtDovMI3TblbfuZ7d960pSyAopytBf4opZCrQAIP3vWk/+rsLXDhsjPwy02ennEsty25gQWGKOGa+WLLnevkGV6eIyO+WMfpMauC7hK/g54P7jlWQ5lkEBcqm0x5sXaWy4H/R/L0SXbnrhmdMBEWYRvgoiV+zmlkeOUT9VZ3auQa08/Dc7B5y6DYvdXIyinqGO3DroVqFRMypdB1uRC3b0ZsCbVN8Nbj6fOMlsjmZCWLS8Acd1zhylqRX716siMeX8+ysEuIjl2cQvoeDfiEdh2yZzCpG40mqNRmxw1kMBXTJ+iKV+qkx0x1PF0aFijtRHFMdYof5FT1FpZtbn0+VmBoWqCUr6ddCTRQP+Tw==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thanks for everyone's efforts to put this together.

 

Although I admit this point may not be relevant for the intended community, note the eBGP Juniper example is likely fine for M/MX/Trio etc but not going to work on things like QFX/EX that often lack features such as matching on "port", instead requiring something like

 

                    }

                    term BGP-Allow-source {

                        from {

                            source-prefix-list {

                                BGP-Peers-v4;

                            }

                            protocol tcp;

                            source-port bgp;

                        }

                        then accept;

                    }

                    term BGP-Allow-dest {

                        from {

                            source-prefix-list {

                                BGP-Peers-v4;

                            }

                            protocol tcp;

                            destination-port bgp;

                        }

                        then accept;

                    }

 

These platforms are often limited in filter programming space and sometimes with even a moderate amount of peers the filtering becomes impossible.

 

I think some Juniper platforms (or perhaps it was older code versions) don't care for mixed v4/v6 in a prefix list so I have deployed something like the following with the requisite changes in the inet and inet6 lo0 filters

 

           prefix-list BGP-Peers-v4 {

                apply-path "protocols bgp group <*> neighbor <*.*.*.*>";

            }

            prefix-list BGP-Peers-v6 {

                apply-path "protocols bgp group <*> neighbor <*:*>";

            }

 

 

  Note this won't account for things like routing-instances or logical-routers, but you can create more prefix lists as needed.

 

    prefix-list BGP-Peers-v6-instances {

        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*:*>";

    }

    prefix-list BGP-Peers-v4-instances {

        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*.*.*.*>";

    }

 

-Michael

 

From: [mailto:] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 9:47 AM
To:
Subject: Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

 

It’s a public page so anyone can view. 

 

I have edits restricted right now, but could be convinced to open it up to shib if there is interest.

 

 

 

On Jan 18, 2017, at 10:46 AM, Thaxton, Adair <> wrote:

 

Who has access?  I’m a member of the WG, but my coworker is not.  I’d like to forward him some suggestions.  Is it Shibboleth authenticated, or do you need to request users?

 

 

From:  [] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 10:27 AM
To: 
Subject: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

 

Ok, hows this link look? It should be it’s own space now. Viewable by everyone, but no edit.

 

 

 


Archive powered by MHonArc 2.6.19.

Top of Page