Internet2 Network Security SIG

[Andrew Gallo <>]

I would like to see the GTSM enhancement.  Other UIs place this config in the BGP section, but not Junos.  There are some commit scripts around to allow you to use an 'apply-macro' tag in a BGP group.  I've brought this up with someone from Juniper and his reaction was a bit cool- security things go in firewall filter lists, not elsewhere.  I'm not discouraging pursuit of this enhancement, but I wouldn't be surprised if Junos purists reject the idea.

On Fri, May 18, 2018 at 9:47 AM, John Kristoff <> wrote:

Friends,

You may remember last year I solicited support for an enhancement
request to harden the NTP daemon on Junos.  This request has been filed
with Juniper.

I'm thinking of two more I'd like to submit and am wondering if there
would again be support from this community.  These are:

* enhanced GTSM support for BGP sessions

  Utilizing GTSM for BGP peering sessions is not often used, because it
  it is not enabled by default and it requires non-trivial firewall
  filters to actually enforce.

  Perhaps add a min-ttl setting under protocols bgp?  Should the value
  of 255 be the default so future generations can use a min-ttl setting?

* backreferences in AS path regular expressions

  Cisco provides this feature and I have at least one use-case for it.
  I'd like to be able to match an as-path that contains some number of
  repeated ASNs (prepending) in order to apply a particular policy
  (e.g. adjust LOCAL_PREF or reject the announcement altogether).

I'm curious if anyone here would find these two enhancements desirable
and if you'd be willing to sign on to a request to Juniper in support.

John