25.06.2012 16:06, Scott T. Cameron:
1. First, sorry for writing this once again, but it's just not the
case.
Any more or less smart stateful device, whether SRX or anything else,
must not create session states for packets falling under a discard
route. And SRX does not,
This is exactly what happened. The session table filled up. One of
our security guys took down our edge 650 cluster from a single unix
box out on the net.
This is what happens when you use a stateful box for an internet router.
a router with a covering aggreate and some knowledge of the
On Mon, Jun 25, 2012 at 6:56 AM, Pavel Lunin plu...@senetsy.ru wrote:
This is exactly what happened. The session table filled up. One of
our security guys took down our edge 650 cluster from a single unix
box out on the net.
This is what happens when you use a stateful box for an
While it's true that like all flow based devices the session table is
susceptible to session table attacks. There are some major built in
protection schemes put into place to limit the effectiveness and
protect the SRX. For the record your proof of concept would take a lot
of pps to fill up the
Actually, we used mx80's as our Internet routers. What do you suppose I use to
handle my firewalling, ipsec and nat?
Thank you everyone, I will pop back to this thread when I change things up and
have our security guy test again.
Sent from my iPhone
On Jun 22, 2012, at 9:39 PM, joel jaeggli
Generally you only want to bring traffic down to your SRX that can actually
be used. There's no reason to advertise a /24 to your MX via IGP when
you're only actually using a /27 -- the leftover is just going to take up
sessions through random internet scans, etc.
Forcing advertisements of /32
Sorry for the top post... Seems phone vendors haven't figured out how to create
a decent email editor on a phone yet.
When I worked at Arbor, we always recommended that customers would front end
anything maintaining state (i.e. a SFW) with something that didn't (i.e. a
Router) and to use
I have a /24 I want to announce, but I don't actually have it anywhere on
the network. I NAT some of its IP's on the SRX that has the BGP session
with our providers.
Static discard is really the best way. Aggregate/generate routes are
also theoretically possible, but if you are not sure you
On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean wrx...@gmail.com wrote:
I have a /24 I want to announce, but I don't actually have it anywhere on
the network. I NAT some of its IP's on the SRX that has the BGP session
with our providers.
I've been using static routes with the discard flag,
The static discard works just fine, but from what from I recall a simple
static route would not insert the ATOMIC_AGGREGATE into BGP.
For example to advertise 192.168.1.0/24 with ATOMIC_AGGREGATE.
set routing-options static route 192.168.1.1/32 discard (contributing
route)
set routing-options
What protocol do these aggregates show up under? Not static?
Morgan
Sent from my iPhone
On Jun 22, 2012, at 9:15 AM, Doug Hanks dha...@juniper.net wrote:
The static discard works just fine, but from what from I recall a simple
static route would not insert the ATOMIC_AGGREGATE into BGP.
This is exactly what happened. The session table filled up. One of our security
guys took down our edge 650 cluster from a single unix box out on the net.
Sent from my iPhone
On Jun 22, 2012, at 4:39 AM, Scott T. Cameron routeh...@gmail.com wrote:
On Wed, Jun 20, 2012 at 10:14 PM, Morgan
On 6/22/12 9:49 AM, Morgan Mclean wrote:
This is exactly what happened. The session table filled up. One of our security
guys took down our edge 650 cluster from a single unix box out on the net.
This is what happens when you use a stateful box for an internet router.
a router with a
I have a /24 I want to announce, but I don't actually have it anywhere on
the network. I NAT some of its IP's on the SRX that has the BGP session
with our providers.
I've been using static routes with the discard flag, but I don't really
like the way the SRX handles traffic. It still creates
On Wed, 20 Jun 2012, Morgan McLean wrote:
I have a /24 I want to announce, but I don't actually have it anywhere on
the network. I NAT some of its IP's on the SRX that has the BGP session
with our providers.
I've been using static routes with the discard flag, but I don't really
like the way
15 matches
Mail list logo
