Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Junos min-ttl and as regex backref feature

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Junos min-ttl and as regex backref feature


Chronological Thread 
  • From: "Dale W. Carder" <>
  • To:
  • Cc:
  • Subject: Re: [Security-WG] Junos min-ttl and as regex backref feature
  • Date: Wed, 23 May 2018 21:57:11 -0500
  • Ironport-phdr: 9a23:8/mzNBbw5vmTzYeXkQX51dj/LSx+4OfEezUN459isYplN5qZr86+bnLW6fgltlLVR4KTs6sC17KN9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCazbL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA38G/ZlNF+gqFVoB2uuxNw3ozbb4+OOfpiYq/QZ88WSXZbU8pPUSFKH4Oyb5EID+oEJetUoYfzqEEKrRSgGAKjBPnjwSJWi3Dsx601zvouERvI0Ac9GN8BrXrVo8nvO6cITO+60rPIwC7dYPNNwzv97pbHcgw4rPyKQLl+f83RyUw1GAPEiFWdsZTlMC2L2eQXsmib6eVgWv+0hGI9tw5xpT2vyt8jionImoIVyk3E+j5jzIkpIt24TUh2asOnHptIryyWKpV6T8A4T2xmoio3xaAKtYS5cSQX0Jgr2R/SZ+Cbf4WN4x/sSOmcLDh9iX9ldrKyhRiy/E2+xeD9SsW4zVNHoTZBn9nCuH0A0hje58mGR/Rm+0qh1yqD2gTO5uxBO087jrfXJ4Mnz7UtjJQcq17DETXzmEjujK+ZaEEk+u+w5uTpfLrrqYWQN4tvhQH6KKgulcu/AfogPggPWWiU5/i82aX+8UHnQ7hGlPM7nrPWvZzHP8gWpLO1DxdQ0ok56ha/Czmm0M4fnXkCNF9KZRyGgJTzNFHUPf/3E+2/jk+ynzdw3fzGOKPuAonVInjZjLjhZap961JbyAcr1tBQ+Y5bCqwbIPLyRk/wtMXUDxE2MwGvx+bnCc591p8FWW6RGKOZMaXSsUOW6eI1JemDepMVtCjnJ/c7+vHukCxxpVhIZqSiwIEWdGH9AftOIkOFbGDqj8tbV2oGo1kQVuvv3ReuWDpeL0n0F4k1/D02EsjuWYvcTYm3jLGb9CqgWJtbejYVWRi3DX70etDcCL83YyWIL5o5nw==


The same thinking exists in the openconfig models from what I can tell
as well: https://github.com/openconfig/public/issues/141

(If you're using openconfig, feel free to pile on ;-)

Dale


Thus spake Jeff Bartig
()
on Wed, May 23, 2018 at 09:50:49PM -0500:
> Hi John,
>
> Yes, I would be supportive of these features. I'd prioritize the back
> reference feature higher, since it is something that isn't possible today,
> while GTSM is possible, but not as easy as it could be.
>
> Jeff
>
> On 5/18/18, 11:47 AM, John Kristoff wrote:
> > Friends,
> >
> > You may remember last year I solicited support for an enhancement
> > request to harden the NTP daemon on Junos. This request has been filed
> > with Juniper.
> >
> > I'm thinking of two more I'd like to submit and am wondering if there
> > would again be support from this community. These are:
> >
> > * enhanced GTSM support for BGP sessions
> >
> > Utilizing GTSM for BGP peering sessions is not often used, because it
> > it is not enabled by default and it requires non-trivial firewall
> > filters to actually enforce.
> >
> > Perhaps add a min-ttl setting under protocols bgp? Should the value
> > of 255 be the default so future generations can use a min-ttl setting?
> >
> > * backreferences in AS path regular expressions
> >
> > Cisco provides this feature and I have at least one use-case for it.
> > I'd like to be able to match an as-path that contains some number of
> > repeated ASNs (prepending) in order to apply a particular policy
> > (e.g. adjust LOCAL_PREF or reject the announcement altogether).
> >
> > I'm curious if anyone here would find these two enhancements desirable
> > and if you'd be willing to sign on to a request to Juniper in support.
> >
> > John
>
> --
> Jeff Bartig
> Interconnection Architect
> Internet2 AS11164 <http://as11164.peeringdb.com/> / AS11537
> +1-608-616-9908
>



Archive powered by MHonArc 2.6.19.

Top of Page