Dear all, Currently, out of the box, a device running Junos will accept any routes and announce any routes on EBGP session when no import or export policy is defined for that neighbor. This oftentimes is not the appropriate behavior in context of Internet routing as it can easily result in full table route leaks.
Adam Chappell created an interesting shim to improve the default behaviour related to EBGP Internet routing on Juniper Junos via a commit script. You can download the SLAX script here: https://github.com/packetsource/rfc8212-junos The commit script ensures an implicit “deny-any” policy is provisioned on all EBGP sessions for either the import or export direction (or both) if the respective import/export policies are absent. In other words: if you forget to configure an export policy statement, the commit script ensure a deny-any export statement is put in place. This protects both yourself and your neighbor! Props to both Adam for creating the script and to Juniper for allowing such permissionless patching! This is cool! Some background info on RFC 8212 can be found here: https://medium.com/@jobsnijders/heads-up-rfc-8212-on-default-ebgp-route-handling-behavior-6146931f0fa3 <https://medium.com/@jobsnijders/heads-up-rfc-8212-on-default-ebgp-route-handling-behavior-6146931f0fa3?source=linkShare-177e0ad9c750-1506268570> Kind regards, Job _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
