Mailing List Archive

On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> Hi,
> I'm trying to figure out how a Juniper can check
> a TTL value in the "firewall filter from" statement.
> (in order to test the feasibility of some recommandations
> from the BGP TTL Security Hack (BTSH) IETF draft).
> http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt
>
> I searched on jnpr web site and didn't find anything relevant :
> http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> l/firewall-config11.html

Filtering packets by TTL would be useful, therefore it is currently not
supported.

Another thing that is not supported, a simple match criteria where you
specify the offset into the packet, the size of the word (8, 16, and 32
bit would be plenty fine), and the value you want to match. This would be
too useful in filtering DoS, so of course it can't be done.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Barring the cynicism I'd agree :D.

-- steve

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Richard A
Steenbergen
Sent: Monday, March 03, 2003 10:29 AM
To: Nicolas Fevrier
Cc: juniper@groupstudy.com; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] TTL value check

On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> Hi,
> I'm trying to figure out how a Juniper can check
> a TTL value in the "firewall filter from" statement.
> (in order to test the feasibility of some recommandations
> from the BGP TTL Security Hack (BTSH) IETF draft).
> http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt
>
> I searched on jnpr web site and didn't find anything relevant :
>
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy
/htm
> l/firewall-config11.html

Filtering packets by TTL would be useful, therefore it is currently not
supported.

Another thing that is not supported, a simple match criteria where you
specify the offset into the packet, the size of the word (8, 16, and 32
bit would be plenty fine), and the value you want to match. This would
be
too useful in filtering DoS, so of course it can't be done.

--
Richard A Steenbergen <ras@e-gerbil.net>
http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

Thanks for the suggestions - we'll discuss this with engineering.

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of Richard A
Steenbergen
Sent: Monday, March 03, 2003 8:29 AM
To: Nicolas Fevrier
Cc: juniper@groupstudy.com; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] TTL value check


On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> Hi,
> I'm trying to figure out how a Juniper can check
> a TTL value in the "firewall filter from" statement.
> (in order to test the feasibility of some recommandations
> from the BGP TTL Security Hack (BTSH) IETF draft).
> http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt
>
> I searched on jnpr web site and didn't find anything relevant :
>
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> l/firewall-config11.html

Filtering packets by TTL would be useful, therefore it is currently not
supported.

Another thing that is not supported, a simple match criteria where you
specify the offset into the packet, the size of the word (8, 16, and 32
bit would be plenty fine), and the value you want to match. This would be
too useful in filtering DoS, so of course it can't be done.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

I believe this has already been a feature request and likely discussed
by Jnpr's eng team. Hence the aforementioned cynicism.

It's interesting that you can filter on many things inside the IP header
and TCP header except the things that real production networks would use.

Being able to get at the following three fields would be optimal for most
network operators: IP TTL, TCP options (particularly invalid MSS options),
and TCP window size. If an implementation such as RAS described cannot
be fully realized, then maybe at least these three fields can be matched.

dre

On Mon, Mar 03, 2003 at 08:51:53AM -0800, Paul Goyette wrote:
> Thanks for the suggestions - we'll discuss this with engineering.
>
> On Mon, Mar 03, 2003 at 11:47:36AM +0100, Nicolas Fevrier wrote:
> > I searched on jnpr web site and didn't find anything relevant :
> >
> http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> > l/firewall-config11.html
>
> Filtering packets by TTL would be useful, therefore it is currently not
> supported.
>
> Another thing that is not supported, a simple match criteria where you
> specify the offset into the packet, the size of the word (8, 16, and 32
> bit would be plenty fine), and the value you want to match. This would be
> too useful in filtering DoS, so of course it can't be done.
>
> --
> Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras