On Thu, Sep 10, 2009 at 01:06:16PM +0200, Bit Gossip wrote: > Experts, > on the ground that only the following protocols are allowed to reach the > RE: > - BGP (runs PMTU so should not fragment packets) > - ISIS is only L2 so it is not blocked by a firewall filter > - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them > - ssh, snmp, tacacs, ntp, Icmp, domain > > Is it correct to assume that for none of them is necessary to allow > fragmens and packet with IP options? > This way it is possible and safe to immediately reject on a loopback > inbound filter all fragments and packets with IP options?
At least IGMP packets usually have Router-Alert option set. Not sure about VRRP (tcpdump shows no options) and BFD. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp