netsec-sig - Re: [Security-WG] Junos min-ttl and as regex backref feature
Subject: Internet2 Network Security SIG
List archive
- From: Jeff Bartig <>
- To:
- Cc:
- Subject: Re: [Security-WG] Junos min-ttl and as regex backref feature
- Date: Wed, 23 May 2018 21:50:49 -0500
- Authentication-results: aharp.iorc.depaul.edu; dkim=none (message not signed) header.d=none;aharp.iorc.depaul.edu; dmarc=none action=none header.from=internet2.edu;
- Ironport-phdr: 9a23:11SKyRcjZdAwJ/rJyuYymMfMlGMj4u6mDksu8pMizoh2WeGdxcSyYR7h7PlgxGXEQZ/co6odzbaO6Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahb75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM382/ZhMx+g61UvhyvuhJ/zIzIb4GUL/dxZL/RcskASmZdRMtdSipMCZ68YYsVCOoBOP5VoY3jqFsAoxu1GBShC/n1yj9Uh3/20rAx3uMjEQ7dxgMgBc4OsHXbrNjuNacSV/y1w7fSzTXFcfxWxSnx5JLWfR88vPGBRLR9etffx0koEgPKlFSQqYr9MjONyOsCrXKb7+tmVeKglmEosBt9rSSoxscpjITCm4Ebykjc+Cln2ok5OcC0RUtmbdK5DZddsi+aOoRqTs8+Rmxlujg1x7IFtJO+eSUG1ogryhDHZ/Cab4SF7QjvWPieLDp2nn5pZb2yihWo/US9yODwS8+520tQoCVfiNnDrHUN2gTT6seZTvt9+V+s1y6T2g7U9u1JL1k4mLTCJZI827IwkYEcvlrZEi/xhUX2kLSZdkI5+uiu9uvreK3mpoWbN49olA7xLrgums24AeQ+KAQOWHWb+fi41L3k+k35Q69GgeExkqncqJzaJMIbqbClAwJNzIos8QqzAyqj3dgFgHULMVdIeByIgoT1J13DJfL1AumwjlmvlTpmwu7KMqHvD5nVK3jMirbhfbJz605GzwozyMhS55BPBb4bOvLzRk7xtNPDAx84NQy03/joCM971owARWKDHLWVP73Pvl+V/u4vOfWDZJcJuDbhLPgo/+XugmElll8AZ6mp3IcXaXChEvVoLEWUen7sgtYaEWcWpQoyUvbmiFyEUT5PeXmyRaQ86S8nCI64F4vMWJ2igKHSlBu8S59KZUhPClmWCTHpcJ+PHfsBcCuPJolsniFXe6KmTtoD2B+g/CXz0aZmIaKA+CcRr47i2/B04fHejxc/6WYyAsiAhTLeB1pol38FEmdllJt0plZwnw+O
- Spamdiagnosticoutput: 1:0
Hi John,
Yes, I would be supportive of these features. I'd prioritize the back reference feature higher, since it is something that isn't possible today, while GTSM is possible, but not as easy as it could be. Jeff On 5/18/18, 11:47 AM, John Kristoff wrote: Friends, You may remember last year I solicited support for an enhancement request to harden the NTP daemon on Junos. This request has been filed with Juniper. I'm thinking of two more I'd like to submit and am wondering if there would again be support from this community. These are: * enhanced GTSM support for BGP sessions Utilizing GTSM for BGP peering sessions is not often used, because it it is not enabled by default and it requires non-trivial firewall filters to actually enforce. Perhaps add a min-ttl setting under protocols bgp? Should the value of 255 be the default so future generations can use a min-ttl setting? * backreferences in AS path regular expressions Cisco provides this feature and I have at least one use-case for it. I'd like to be able to match an as-path that contains some number of repeated ASNs (prepending) in order to apply a particular policy (e.g. adjust LOCAL_PREF or reject the announcement altogether). I'm curious if anyone here would find these two enhancements desirable and if you'd be willing to sign on to a request to Juniper in support. John |
- [Security-WG] Junos min-ttl and as regex backref feature, John Kristoff, 05/18/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, Andrew Gallo, 05/20/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, Jeff Bartig, 05/24/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, Dale W. Carder, 05/24/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, John Kristoff, 05/29/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, Jeff Bartig, 05/29/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, John Kristoff, 05/29/2018
- Re: [Security-WG] Junos min-ttl and as regex backref feature, Jeff Bartig, 05/29/2018
Archive powered by MHonArc 2.6.19.