> Saku Ytti > Sent: Wednesday, March 18, 2020 4:37 PM > > On Wed, 18 Mar 2020 at 18:30, John Kristoff <j...@depaul.edu> wrote: > > > Yep, I get all that. I can tighten that up. Care to show us how you > > do loopback filters? > > Really Juniper would be in the best position to automatically generate > lo0 filter when none is provided, which would be really really good, not > optimal, but really good. Bit of like generated-LPTS. > That, but most importantly separate control-plane and management-plane security like in XR. If one could do this in Junos: XR-example: control-plane management-plane inband interface xxxxxxx allow SSH -listing only my core facing and/or oob mgmt ports. Then it would not matter that operator's iACL or lo0 filter has holes (allowing ssh from BGP source port).
adam _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp