> on the ground that only the following protocols are allowed to reach the > RE: > - BGP (runs PMTU so should not fragment packets) > - ISIS is only L2 so it is not blocked by a firewall filter > - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them > - ssh, snmp, tacacs, ntp, Icmp, domain > > Is it correct to assume that for none of them is necessary to allow > fragmens and packet with IP options? > This way it is possible and safe to immediately reject on a loopback > inbound filter all fragments and packets with IP options?
This may not be safe. In a network with non-standard MTU on some backbone links, we have seen fragmented LDP traffic. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp