Internet2 Network Security SIG

[gcbrowni <>]

Michael,

Thanks for the assist. Let me see if I can massage the Juniper section with som more guidance and comments in order to take your comments in to account.

On Jan 19, 2017, at 10:45 AM, Michael Hare <> wrote:

Thanks for everyone's efforts to put this together.

 

Although I admit this point may not be relevant for the intended community, note the eBGP Juniper example is likely fine for M/MX/Trio etc but not going to work on things like QFX/EX that often lack features such as matching on "port", instead requiring something like

 

                    }

                    term BGP-Allow-source {

                        from {

                            source-prefix-list {

                                BGP-Peers-v4;

                            }

                            protocol tcp;

                            source-port bgp;

                        }

                        then accept;

                    }

                    term BGP-Allow-dest {

                        from {

                            source-prefix-list {

                                BGP-Peers-v4;

                            }

                            protocol tcp;

                            destination-port bgp;

                        }

                        then accept;

                    }

 

These platforms are often limited in filter programming space and sometimes with even a moderate amount of peers the filtering becomes impossible.

 

I think some Juniper platforms (or perhaps it was older code versions) don't care for mixed v4/v6 in a prefix list so I have deployed something like the following with the requisite changes in the inet and inet6 lo0 filters

 

           prefix-list BGP-Peers-v4 {

                apply-path "protocols bgp group <*> neighbor <*.*.*.*>";

            }

            prefix-list BGP-Peers-v6 {

                apply-path "protocols bgp group <*> neighbor <*:*>";

            }

 

 

  Note this won't account for things like routing-instances or logical-routers, but you can create more prefix lists as needed.

 

    prefix-list BGP-Peers-v6-instances {

        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*:*>";

    }

    prefix-list BGP-Peers-v4-instances {

        apply-path "routing-instances <*> protocols bgp group <*> neighbor <*.*.*.*>";

    }

 

-Michael

 

From:  [] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 9:47 AM
To: 
Subject: Re: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

 

It’s a public page so anyone can view. 

 

I have edits restricted right now, but could be convinced to open it up to shib if there is interest.

 

 

 

On Jan 18, 2017, at 10:46 AM, Thaxton, Adair <> wrote:

 

Who has access?  I’m a member of the WG, but my coworker is not.  I’d like to forward him some suggestions.  Is it Shibboleth authenticated, or do you need to request users?

 

 

From:  [] On Behalf Of gcbrowni
Sent: Wednesday, January 18, 2017 10:27 AM
To: 
Subject: [Security-WG] I2 - Routing security Spaces page - One. Last. Time.

 

Ok, hows this link look? It should be it’s own space now. Viewable by everyone, but no edit.

 

 

https://spaces.internet2.edu/display/RS/Routing+Security+Home

Attachment: smime.p7s
Description: S/MIME cryptographic signature