Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.


Chronological Thread 
  • From: gcbrowni <>
  • To:
  • Subject: Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.
  • Date: Thu, 19 Jan 2017 13:01:13 -0500
  • Ironport-phdr: 9a23:eCEKHh9JSP9u//9uRHKM819IXTAuvvDOBiVQ1KB30uwcTK2v8tzYMVDF4r011RmSDNmdt6sP0rKM+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFHiTanbr5+MRq6oRjNusUInIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRRn1gykFKjE56nnahMxsg61UvRyvqRJ/zZDWb4+WM/RzZazdcc8fRWdbXsZdSy5MD4WhZIUPFeoBOuNYopHyp1QSthS+Hw6sBe3pyj9Jm3T72qI63Pg6HgHc2wwhEdQOsHXPodX6MKcSVvu6w7PMzTXFaPNZxS3x6InVchw7v/6DQK9wfNPXxEIyGQ3FiVCQppbkPzOTzukNsm6b7/Z+WuK1jW4otR1xria1ysgyl4bJm4QYwU3H+yVh2Is5ONK1RUphbdK5EZZdtzuWO5Z4T84tWW1luSI3xqUbtZKnfiUG0okryhrFZ/GGcIWE+BDuWeCMKjlinn1lYqiwhxOq/Eig1OL8Us603U5PriVfk9nMsm0B2wXV6seZRPpx5Eih2SyJ1wDU9u5IO0E0lbfBJ5E/37Ewi4IfsUXFHiDohEX7lLKae0og9+Sy9ujqY7XrqoWBO4J6hQzyKKUjl8inDeQ9KAcOXmyb+eqm1L3k+E30WLpKgeEtnanDt5DbK8Ibpq+iDg9a1oYj7A2wAC2i0NQemnkIMEhJeBOaj4TzJV7BPe34Ae+lg1uwiDdr2+zGPrr5D5XWMHfMjKrhfax8605AyAs/1N5e551PB7EFIfLzQVPxtMfGAhMjMgy0xfrnB8tn1oMYR22PHrGVPLnMvlCV++J8a9WLMZQYsyvnKuQ0ouHhpX4/hVIHe6S1h90aZG3rMO5hJhCWanD2hcgHEC9esQE0Vuv1jlyqXjpUbX+2WaU3oDAmTo+qENGQFciWnLWd0XLjTdVtbWdcBwXUHA==

Michael,

Thanks for the assist. Let me see if I can massage the Juniper section with som more guidance and comments in order to take your comments in to account.





On Jan 19, 2017, at 10:45 AM, Michael Hare <> wrote:

Thanks for everyone's efforts to put this together.
 
Although I admit this point may not be relevant for the intended community, note the eBGP Juniper example is likely fine for M/MX/Trio etc but not going to work on things like QFX/EX that often lack features such as matching on "port", instead requiring something like
 
                    }
                    term BGP-Allow-source {
                        from {
                            source-prefix-list {
                                BGP-Peers-v4;
                            }
                            protocol tcp;
                            source-port bgp;
                        }
                        then accept;
                    }
                    term BGP-Allow-dest {
                        from {
                            source-prefix-list {
                                BGP-Peers-v4;
                            }
                            protocol tcp;
                            destination-port bgp;
                        }
                        then accept;
                    }
 
These platforms are often limited in filter programming space and sometimes with even a moderate amount of peers the filtering becomes impossible.
 
I think some Juniper platforms (or perhaps it was older code versions) don't care for mixed v4/v6 in a prefix list so I have deployed something like the following with the requisite changes in the inet and inet6 lo0 filters
 
           prefix-list BGP-Peers-v4 {
                apply-path "protocols bgp group <*> neighbor <*.*.*.*>";
            }
            prefix-list BGP-Peers-v6 {
                apply-path "protocols bgp group <*> neighbor <*:*>";
            }
 
 
  Note this won't account for things like routing-instances or logical-routers, but you can create more prefix lists as needed.
 
    prefix-list BGP-Peers-v6-instances {
        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*:*>";
    }
    prefix-list BGP-Peers-v4-instances {
        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*.*.*.*>";
    }
 
-Michael
 
From:  [] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 9:47 AM
To: 
Subject: Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.
 
It’s a public page so anyone can view. 
 
I have edits restricted right now, but could be convinced to open it up to shib if there is interest.
 
 
 
On Jan 18, 2017, at 10:46 AM, Thaxton, Adair <> wrote:
 
Who has access?  I’m a member of the WG, but my coworker is not.  I’d like to forward him some suggestions.  Is it Shibboleth authenticated, or do you need to request users?
 
From:  [] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 10:27 AM
To: 
Subject: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.
 
Ok, hows this link look? It should be it’s own space now. Viewable by everyone, but no edit.
 
 

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page