Cogent Layer 2

• Previous message (by thread): Cogent Layer 2
• Next message (by thread): Cogent Layer 2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 15 Oct 2020 at 17:49, Ryan Hamel <ryan at rkhtech.org> wrote:

> > So you're dropping in every edge all UDP packets towards these three ports? Your customers may not appreciate.
> You must not be familiar with JUNOS' ACL handling. This would be applied to interface lo0, which is specifically for control planes. No data plane traffic to customers would be hit.

I'm sure there are some gaps in knowledge at play here.

There are many reasons why packets hit the control-plane and not be
subject to lo0 filter, for example TTL expiry. Also, as I tried to
communicate with little success, BFD is implemented in NPU ucode and
you are subjected to NPU ucode bugs.
The bug I'm talking about, does not require you using or configuring
BFD, it just needs NPU to parse it, and your FPC is gone. Same deal
with Cisco issue I'm talking about.

I've not yet seen single non-broken junos control-plane protection,
everyone has terribly poorly written lo0 filters, no one has any idea
how to configure ddos-protection. If you some canonical sources to do
this, like Cymru or Juniper's MX book as source, you'll get it all
wrong, as they both contain trivial and naive errors.

But if you do manage to configure lo0 and ddos-protection correctly,
you're still exposed to wide array of packet-of-death style vectors.
Just yesterday on Junos SIRT-day bug where your KRT will become wedged
if you sample (IPFIX) specifically crafted packet, this will be
transit packet.

Problems become increasingly simple the less you understand them.

-- 
  ++ytti

• Previous message (by thread): Cogent Layer 2
• Next message (by thread): Cogent Layer 2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]