Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Junos min-ttl and as regex backref feature

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Junos min-ttl and as regex backref feature


Chronological Thread 
  • From: Jeff Bartig <>
  • To:
  • Cc:
  • Subject: Re: [Security-WG] Junos min-ttl and as regex backref feature
  • Date: Tue, 29 May 2018 14:20:24 -0500
  • Authentication-results: aharp.iorc.depaul.edu; dkim=none (message not signed) header.d=none;aharp.iorc.depaul.edu; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:o3IOrhzL8ta21NXXCy+O+j09IxM/srCxBDY+r6Qd2uofIJqq85mqBkHD//Il1AaPAd2Graocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HTbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHrhikJNzA2/27JhMJtgqJUog6upx1kzoHOfI2aLuBxcr/HcN8HQ2dKQ8ZfVzZGAoO5d4YBC/QOPehWr4LgulYBtwG+BRWtBOPg1zRFgX320rYg3OQ7DQHG3QMgEskPsHTSsNX6Kr0SUearw6nU0znPde1Z1irg6IXRdB0qvP+CXbV1ccXLyEkvERvIjk2OpoP7JTOV1+INs2eG4OV7T+6gl2knqwRprjit28csjIjJhpoLxVDe7yl5xpg6JcG+RUVmYtCkCINduz+AOIdqX88vRnxktDsnxrADt562czQGxIgiyhPddfOKfIyF7xfmWeqPPTt1hmppdK+jixu960Ss1OLxW8eu3FpXoSdIkcPAum0P2hDO7MWMV+Fz8V272TmV0gDe8uFELl4wlarcM5Mv2qI9mJ0PvUnNByP4lkL4gaGPekUj4een9f7rYrL7pp+ALIB0jRz+MqIzlcClGeQ4KA8OX3SF9uugyL3j/Er5QLNQgv0xj6nZrJTaJcMcpq66GQNazoEj6xOnAzen1tQXg2UHIUpbdB2dk4TlJlTDLO3lAfuihlmsnjhmy+zaMrDkAJjCMHfOnbPkcLt49UJQ1Ag+wcha551OC7EBJPzzWlX2tNzdFhI5MRe7zPz9CNVh14MeVnmCAq6fMKPOr1CI/OQvLPeQZIMLojryNeUq5+P2gX8jhVAdZbWp3YcQaH2gBfRpPVmWYWf2gtcADWcLvhMyTeLliFCZVT5TZm2yX74n5j0lEo6mDIHDRpyzj7yb2ie0AIFWan5cBl+SDHjoatbMZ/BZaj6RCsZhmyYcE7mmUYRn2Ry2vRL+jbdrM7n64Cod4LDu2tY9zeTJiRA9vWh2Bc2Hz2CCZ2Bygm4SQTIqhuZyrVErmQTL6rRxn/ENTY8b3PhOSApvbZM=
  • Spamdiagnosticoutput: 1:0
John,

The back reference page you reference is specifically about the config CLI "replace" command:  REPLACE searchstring WITH replacestring

Based on your original message about wanting to match AS prepending in AS paths, I thought you were looking for the equivalent of the following Cisco as-path regex:  _([0-9]+)(_\1)+_

The above regex should match any ASN and then match one or more repeats of the initially matched ASN.

So far, my attempts to use the \1 back reference in Junos SHOW ROUTE ASPATH-REGEX commands results in the \1 being treated as just a "1", rather than as a back reference.

Jeff

On 5/29/18, 11:16 AM, John Kristoff wrote:
On Wed, 23 May 2018 21:50:49 -0500
Jeff Bartig  wrote:


Yes, I would be supportive of these features.  I'd prioritize the back 
reference feature higher, since it is something that isn't possible 
today, while GTSM is possible, but not as easy as it could be.

So apparently the back reference exists already:

  <https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-cli-replace-command-regular-expressions.html>

I thought this page was referring to edit mode search and replace.  I'm
guessing no one here who is still listening to me was aware of this
either.  I'll play around with captures when I get a chance.

That leaves the GTSM proposal.  After some discussion with some other
colleague in a big network, ingress GTSM support might be non-trivial,
but there may not be an easy way to get this functionality like there
is in IOS.  One suggestion was to put GTSM-enabled peers in a BGP group
and then use an apply-path in a loopback filter on a ttl 255 filter.
Not crazy about using GTSM BGP groups, but I'll think on this one a
little more.

John

--
Jeff Bartig
Interconnection Architect
Internet2  AS11164 / AS11537
+1-608-616-9908

Archive powered by MHonArc 2.6.19.

Top of Page