On Thu, Sep 10, 2009 at 12:40 PM, Alexandre Snarskii <s...@snar.spb.ru> wrote: > On Thu, Sep 10, 2009 at 01:06:16PM +0200, Bit Gossip wrote: >> Experts, >> on the ground that only the following protocols are allowed to reach the >> RE: >> - BGP (runs PMTU so should not fragment packets) >> - ISIS is only L2 so it is not blocked by a firewall filter >> - OSPF, LDP, RSVP, PIM, IGMP, BFD, VRRP: don't know about them >> - ssh, snmp, tacacs, ntp, Icmp, domain >> >> Is it correct to assume that for none of them is necessary to allow >> fragmens and packet with IP options? >> This way it is possible and safe to immediately reject on a loopback >> inbound filter all fragments and packets with IP options? > > At least IGMP packets usually have Router-Alert option set. > Not sure about VRRP (tcpdump shows no options) and BFD. >
RSVP also uses Router Alert option in PATH messages when initially signalling an LSP to establish soft-state on downstream transit routers. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp