Routing

Hi,

 

Couple of questions:

 

1: Could someone let me know how I can configure BGP to only allow updates from specified peers please?

2: Is "Graceful restart" a good option to configure?

 

Thanks

1: Could someone let me know how I can configure BGP to only allow updates from specified peers please?
Yes, You can apply import-policy and accept update from specific peer only.

2: Is "Graceful restart" a good option to configure?
Yes, it helps retains the forwarding plane working while control plane (protocol) restart and sync the previous control plane info from it’s peers.

So, to help others, I will configure the following:

 

set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required>  

set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required> - if more than 1 peer

set firewall family inet filter bgpfilter_179 term 1 from destination-port bgp

set firewall family inet filter bgpfilter_179 term 1 then accept

set firewall family inet filter bgpfilter_179 tem 2 then reject

set interfaces lo0 unit 2 family inet filter input bgpfilter_179

 

Thanks for the help Kingsman

 

Hello,

---

@adgwytc wrote:

So, to help others, I will configure the following:

 

set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required>  

set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required> - if more than 1 peer

set firewall family inet filter bgpfilter_179 term 1 from destination-port bgp

set firewall family inet filter bgpfilter_179 term 1 then accept

set firewall family inet filter bgpfilter_179 tem 2 then reject

set protocols bgp group external-peers import bgpfilter_179

 

 

 

---

This config won't commit.

One cannot assign firewall filters to BGP peers, You have to use a policy:

 

set policy-options policy-statement deny-all then reject
set protocols bgp group BLAH neighbor 203.0.113.1 import deny-all

HTH

Thx
Alex

 

Well, that's rather confusing from the Juniper documentation then.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-flood-prevention-block-tcp-port-access.html

 

As a quick question then (given that the firewall option is the documentation I can find) how do I only allow from specified peers and deny all others. The policy you have written seems to deny all... or is the following line saying deny-all except from this peer:

 

set protocols bgp group BLAH neighbor 203.0.113.1 import deny-all

 

Apologies if this sounds like a silly question.

 

 

You apply the policy to the neighbor.. the policy will reject all the routes received from that particular peer.

Hi Kingsman,

 

Sorry, I probably need to reword the question:

 

I do not know what addresses will be trying to compromise the BGP port 179, so, I need to accept from 1 peer and block all other possible peers. How can I achieve this?

 

The documentation states to use the firewall filter and apply to the group and the loopback interface, but I am now being informed this will not work. 

Here’s the confusion:

Do you want to receive the update from a specific peer? or want to form a BGP neighborship/peering with a specific peer only?

 

If you have let's say 3 bgp neighbor ( A,B,C) and want to receive the update from peer A only, you can apply a deny-all import policy to peer B and peer C which will cause BGP to accept routes from A only.

 

to allow port 179 for specific source/destination, you need to create a firewall filter and apply it on lo0.

 

 

Hi Kingsman,

 

We already have the peer relationship as "Established"..... what I need to ensure is that we only receive advertised routes from that particular peer. 

 

The peer is an upstream PE device from another ISP and is the only "trusted" peer we want to connect to port 179 and send advertisements of the Internet Routing table. We do not want any other, probable compromising device, attempting to connect to port 179 and send rogue routes that could lead to DoS attacks.

 

Your line that states:

to allow port 179 for specific source/destination, you need to create a firewall filter and apply it on lo0.

 

Is what I have written above and then informed it won't work.

 

Thanks

Thanks Kingsman and aarseniev for the help. Very much appreciated.....

 

My apologies aaarseniev, I mis-read your response. You merely stated it would not commit because I wrote the line wrong. I meant to state the loopback but instead stated assigning to the peer group.... my bad.

 

I'll configure both options and test and see which suits our situation best.

 

 

Apologies gentlemen.

 

I am re-opening this because I cannot get anything to work. A scan will still connect from another "fabricated" peer.

 

Again, to summarise:

 

I have "one" upstream peer only that I have in an "established state". This is the ONLY peer I want to be able to peer with or appear to peer with. If I do not know addresses of anyone else trying to compromise the peering address how can I stop everyone else from trying to peer?

 

I have tried Policy and Firewall and neither work (by the way, the peering is with the physical interface and not the loopback as per the upstream peers request).

 

I understand the advice of "if you have 3 peers and want to block 2 of them".... but this is not the case. I simply want allow bgp peering to "1" address only and block any other possible connection attempts. 

 

Hello there,

---

@adgwytc wrote:

 

Again, to summarise:

 

I have "one" upstream peer only that I have in an "established state". This is the ONLY peer I want to be able to peer with or appear to peer with. If I do not know addresses of anyone else trying to compromise the peering address how can I stop everyone else from trying to peer?

 

 

---

If You define only 1 BGP peer then absent the loopback filter all other attempts to connect to tcp/179 will be dropped & logged. Is it not enough for You then?

 

 

---

@adgwytc wrote:

 

I have tried Policy and Firewall and neither work (by the way, the peering is with the physical interface and not the loopback as per the upstream peers request).

 

 

---

 Please show us then what exactly is not working and how You tested it.

Generally speaking, Your options are (in order of increased security):

1/ define only 1 peer without authentication - all connection attempts to tcp/179 will be dropped & logged by RPD EXCEPT for from spoofed src IP == Your peer IP

2/ define only 1 peer WITH authentication - all connection attempts to tcp/179 will be dropped & logged  by RPD INCLUDING  from spoofed src IP == Your peer IP if that spoofed IP uses wrong password or no password

3/  define only 1 peer with authentication & adjust loopback filter to allow tcp/179 ONLY from Your peer src ip - all connection attempts to tcp/179 will be dropped & optionally logged by that filter and connection attempts  from spoofed src IP == Your peer IP && wrong password will be logged by RPD. You have to exercise caution with this filter since BGP connection can be initiated from either side unless one side is configured as passive.

4/ most secure - define only 1 peer with authentication & use GTSM (if Your peer supports it) & adjust loopback filter as above. 

JUNOS BGP GTSM reading:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/ttl-edit-protocols-bgp-mulithop.html

HTH

Thx

Alex

Thanks Alex. I'll give this a try, but for info here is the configuration and result (IP's Changed):

 

set firewall family inet filter bgpfilter-179 term 1 from source-address 10.10.10.10/32
set firewall family inet filter bgpfilter-179 term 1 from destination-address 10.10.10.11/32
set firewall family inet filter bgpfilter-179 term 1 from destination-port bgp
set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
set firewall family inet filter bgpfilter-179 term 1 then accept
set firewall family inet filter bgpfilter-179 term 2 then discard

set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

 

I would expect, with this filter applied to the interface that, for example, the Cymru Bogon peering would drop, but it does not, as is shown below:

 

Peer: 38.229.6.20+41099 AS 15895 Local: 10.10.10.11+179 AS 111111
  Description: cymru fullbogon bgp feed (ipv4 + 6)
  Group: cymru-bogons          Routing-Instance: master
  Forwarding routing-instance: master
  Type: External    State: Established    Flags: <Sync RSync>

 

As can be seen, it is still in established. So the firewall filter does not work. 

 

If I place the "deny-all" policy statement in the group, will that not stop the actual peer too?

Hello,

---

@adgwytc wrote:

 <skip>

 

set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

 

<skip>

 

I would expect, with this filter applied to the interface that, for example, the Cymru Bogon peering would drop, but it does not, as is shown below:

 

Peer: 38.229.6.20+41099 AS 15895 Local: 10.10.10.11+179 AS 111111
<skip>

 

As can be seen, it is still in established. So the firewall filter does not work. 

 

 

---

Are You sure the Team Cymru tcp/179 connection arrives into Your router via interface xe-1/2/5 .0?

Please share the printout:

 

monitor traffic interface xe-1/2/5.0 no-resolve size 9999 matching tcp

 

Also, did You wait long enough after applying the filter? The BGP holdtime is usually 180 secs/3 mins.

HTH

Thx

Alex

Hi Alex,

We only have the one outbound connection via upstream ISP and all peers come in on that interface. If they come in anywhere else then some form of "Harry Potter" is occurring 🙂

 

Here is Cymru Bogon peering still established and still receiving updates:

Listening on xe-1/2/5.0, capture size 9999 bytes

09:13:57.004970 In IP 38.229.6.20.41099 > 10.10.10.10: P 3549443539:3549443558(19)

09:13:57.105476 Out IP 10.10.10.10 > 38.229.6.20.41099: . ack 19 win 16384

 

The filter is still applied to the interface as follows (we tried different methods and none were successful):

set firewall family inet filter bgpfilter-179 term 1 from source-address 10.10.10.10/32
set firewall family inet filter bgpfilter-179 term 1 from destination-address 10.10.10.11/32
set firewall family inet filter bgpfilter-179 term 1 from destination-port bgp
set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
set firewall family inet filter bgpfilter-179 term 1 then accept
set firewall family inet filter bgpfilter-179 term 2 from source-address 0.0.0.0/0
set firewall family inet filter bgpfilter-179 term 2 from destination-address 11.11.11.11/32
set firewall family inet filter bgpfilter-179 term 2 from destination-port bgp
set firewall family inet filter bgpfilter-179 term 2 from destination-port 179
set firewall family inet filter bgpfilter-179 term 2 then discard

set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

 

Not sure why it is not working

Hello,

I see You have input-list, are there any other filters there before bgpfilter-179? Please make sure bgpfilter-179 is the leftmost in this input-list.

If there is only 1 filter in the input-list, then please reconfigure Your filter as follows, re-test and report back:

set firewall family inet filter bgpfilter-179 term 1 from source-address <your peer IP address>
set firewall family inet filter bgpfilter-179 term 1 from destination-address <your own peering IP>
set firewall family inet filter bgpfilter-179 term 1 from protocol tcp
set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
set firewall family inet filter bgpfilter-179 term 1 then accept
set firewall family inet filter bgpfilter-179 term 1 then count peer-pkts
set firewall family inet filter bgpfilter-179 term 2 from source-address 0.0.0.0/0
set firewall family inet filter bgpfilter-179 term 2 from destination-address <your own peering IP>
set firewall family inet filter bgpfilter-179 term 2 from protocol tcp
set firewall family inet filter bgpfilter-179 term 2 from destination-port 179
set firewall family inet filter bgpfilter-179 term 2 then discard
set firewall family inet filter bgpfilter-179 term 2 then log
set firewall family inet filter bgpfilter-179 term 3 then accept
set interfaces xe-1/2/5 unit 0 family inet filter input bgpfilter-179

 

HTH

Thx
Alex

Hi Alex,

 

I did not know that input-lists for filters were order prevailant. Now I know (this is the first input-list I have needed)... 🙂

 

I kept the original configuration and changed the order of the filters as per your recommendation and now the scan appears as "Filtered" rather than "open"....  I am happy with this. Thank you.

 

Unfortunately I could not use your configuration because it allowed the second filter for SSH to suddenly show as "open" on a scan.... possibly because the position was moved within the list. 

 

I could, theoretically, just create one long filter including both the bgp and the SSH and apply it to the interface, but I think we are happy keeping them separate.

 

Again, thank you for your help.

Hello,

---

@adgwytc wrote:

Hi,

 

 

2: Is "Graceful restart" a good option to configure?

 

Thanks

---

Yes if You have no better choice (i.e. SRX cluster where NSR is not supported).

No, if You use BFD - BGP GR is aborted if BFD times out as per RFC 4724 section 4.2

HTH

Thx

Alex