Date created: 03/16/18 09:36:46. Last modified: 05/31/20 11:01:50

MX Loopback0 Filter Notes

References:
https://tools.ietf.org/html/rfc6192
https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-match-conditions-for-ipv4-traffic.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB11436
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30953

 

MX Series Book: PDF page 238 - real page 270

1. example treats internal and external ICMP the same, causing false
positives for ICMP monitoring during attack
2. ICMP ND is not limited to TTL 255, meaning anyone from Internet can
congest your next-hop resolution, not just connected attacker
3. it treats 'tcp-established' as magic toggle without verifying
source-address, allowing anyone to inject potentially 0day
packet-of-death parsing bugs abusing packets
4. it does not consistently verify daddr, allowing l3 mpls vpn
customer potentially to hammer control-plane
5. it does not discriminate various BFD modes, which have different
security posture (singlehop can limit ttl=255, multihop cant, echo and
control are different)
6. it uses 'port' match, allowing crafted source port to reach any
destination port (bgp peers can reach ssh port)
7. it does not discriminate different OSPF operations, your most
likely OSPF will work with TTL==1, which is additional hurdle for
attacker
8. it does not limit VRRP to ttl 255
9. it does not limit copy protocols (http, https,...) to
connected/establlished state
10. it does not discriminate between basic and extended LDP discovery
11. it uses 'next-header' as discard match, you should only use it as
permit match, because it's easy to circumvent

That is just 10min look. It's very complicated approach yet not
particularly secure one. But at least it's less broken than Cymru
secure template.

Few basic principles
a) never use 'port', all bidir TCP needs 'active' and 'passive' rule separately
b) never use prefix-list, always directional source/desination
c) if you run l3 mpls vpn, always verify 'destination-address'
d) have long list of permit/allow, then single discard at the end
e) if standard makes statement about TTL/hop-limit, use it, it's super
critical for ICMPv6 ND particularly
f) only use 'tcp-established' to make rule more strict, not to have
some handy catch-all return traffic permitter
g) avoid high level of abstraction, people will need to be able to
review it, preferably fast, bitrot is serious problem

 

Check for listening services with: show system connections | match LIST

 


Previous page: EX 2200 Lo0 Filter
Next page: MX104 Lo0 Filter Example