Mailing List Archive

Logging MAC addresses
All,

We're seeing from time to time spoofed packets hitting the firewall filters.
Sometimes at rates that it's becoming a nuisance. Hence, we'd like to know
who's sending all this garbage. On a Cisco, there's the log-input keyword.
So far, I haven't found the Juniper equivalent of that. Have any of you?

Cheers,

Arjan H

Not even a clue-by-four would work with this clown.
________________________________
dr. Arjan Hulsebos
Security Engineer
Essent Kabelcom West, a.k.a. @Home Benelux
1042 AX Amsterdam
Email: arjanh@corp.home.nl
Tel: +31 20 88 55 407
Mob: +31 6 21 548 777

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030326/0f5e9e7f/attachment.htm
Logging MAC addresses [ In reply to ]
All,

We're seeing from time to time spoofed packets hitting the firewall filters.
Sometimes at rates that it's becoming a nuisance. Hence, we'd like to know
who's sending all this garbage. On a Cisco, there's the log-input keyword.
So far, I haven't found the Juniper equivalent of that. Have any of you?

Cheers,

Arjan H

Not even a clue-by-four would work with this clown.
________________________________
dr. Arjan Hulsebos
Security Engineer
Essent Kabelcom West, a.k.a. @Home Benelux
1042 AX Amsterdam
Email: arjanh@corp.home.nl
Tel: +31 20 88 55 407
Mob: +31 6 21 548 777

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030401/bcb05882/attachment.htm
Logging MAC addresses [ In reply to ]
On Tue, Apr 01, 2003 at 05:58:05PM +0200, Arjan Hulsebos wrote:
| Logging MAC addresses
|
| All,
|
| We're seeing from time to time spoofed packets hitting the firewall filters.
| Sometimes at rates that it's becoming a nuisance. Hence, we'd like to know
| who's sending all this garbage. On a Cisco, there's the log-input keyword.
| So far, I haven't found the Juniper equivalent of that. Have any of you?

unfortunately the IO manager ASIC strips away link-layer information;
so at the time the packets hits the firewalling engine we do not have
source MAC addresses available anymore;

assuming that it is a non-peer that is causing this i'd recommend to
turn on MAC address filtering;

/hannes
Logging MAC addresses [ In reply to ]
On Tue, Apr 01, 2003 at 09:19:38PM +0200, Hannes Gredler wrote:
> On Tue, Apr 01, 2003 at 05:58:05PM +0200, Arjan Hulsebos wrote:
> | Logging MAC addresses
> |
> | All,
> |
> | We're seeing from time to time spoofed packets hitting the firewall filters.
> | Sometimes at rates that it's becoming a nuisance. Hence, we'd like to know
> | who's sending all this garbage. On a Cisco, there's the log-input keyword.
> | So far, I haven't found the Juniper equivalent of that. Have any of you?
>
> unfortunately the IO manager ASIC strips away link-layer information;
> so at the time the packets hits the firewalling engine we do not have
> source MAC addresses available anymore;
>
> assuming that it is a non-peer that is causing this i'd recommend to
> turn on MAC address filtering;

Hannes,

It sounds like you're missing the point.

If you are on a public switched exchange or in your own
network doing hop-by-hop traceback, knowing the mac address of
the person who sent the packet(or frame) is important and
something that Juniper has been lacking.

- Jared

--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Logging MAC addresses [ In reply to ]
Hello Arjan,

* ahulsebos@corp.home.nl (Arjan Hulsebos) [Sun 06 Apr 2003, 19:36 CEST]:
> We're seeing from time to time spoofed packets hitting the firewall filters.
> Sometimes at rates that it's becoming a nuisance. Hence, we'd like to know
> who's sending all this garbage. On a Cisco, there's the log-input keyword.
> So far, I haven't found the Juniper equivalent of that. Have any of you?

I assume you're talking about an Internet exchange point context here.
Unfortunately, in JunOS architecture, the moment a packet arrives at the
firewall filters no information about source MAC address is available
anymore.


-- Niels.

--