ip (Security Screen)
Syntax
ip { bad-option; block-frag { white-list name; } ipv6-extension-header { AH-header; ESP-header; HIP-header; destination-header { ILNP-nonce-option; home-address-option; line-identification-option; tunnel-encapsulation-limit-option; user-defined-option-type <type-low> to <type-high>; } fragment-header; hop-by-hop-header { CALIPSO-option; RPL-option; SFM-DPD-option; jumbo-payload-option; quick-start-option; router-alert-option; user-defined-option-type <type-low> to <type-high>; } mobility-header; no-next-header; routing-header; shim6-header user-defined-option-type <type-low> to <type-high>; } ipv6-extension-header-limit limit; ipv6-malformed-header; loose-source-route-option; record-route-option; security-option; source-route-option; spoofing; stream-option; strict-source-route-option; tear-drop; timestamp-option; unknown-protocol; tunnel { gre { gre-4in4; gre-4in6; gre-6in4; gre-6in6; } ip-in-udp { teredo; } ipip { ipip-4in4; ipip-4in6; ipip-6in4; ipip-6in6; ipip-6over4; ipip-6to4relay; isatap; dslite; } bad-inner-header; } }
Hierarchy Level
[edit security screen ids-option screen-name
]
Description
Configure IP layer IDS options.
Options
bad-option
—Detect and drop any packet with an incorrectly formatted IP option in the IP packet header. The device records the event in the screen counters list for the ingress interface. This screen option is applicable to IPv4 and IPv6.block-frag
—Enable IP packet fragmentation blocking.loose-source-route-option
—Detect packets where the IP option is 3 (loose source routing), and record the event in the screen counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified. The type 0 routing header of the loose source route option is the only related header defined in IPv6 .record-route-option
—Detect packets where the IP option is 7 (record route), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.security-option
—Detect packets where the IP option is 2 (security), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.source-route-option
—Detect packets, and record the event in the screen counters list for the ingress interface.spoofing
—Prevent spoofing attacks. Spoofing attacks occur when unauthorized agents attempt to bypass firewall security by imitating valid client IP addresses. Using the spoofing option invalidates such false source IP address connections.The default behavior is to base spoofing decisions on individual interfaces.
stream-option
—Detect packets where the IP option is 8 (stream ID), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.strict-source-route-option
—Detect packets where the IP option is 9 (strict source routing), and record the event in the screen counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field. Currently, this screen option is applicable only to IPv4.tear-drop
—Block the teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.timestamp-option
—Detect packets where the IP option list includes option 4 (Internet timestamp), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.unknown-protocol
—Discard all received IP frames with protocol numbers greater than 137 for IPv4 and 139 for IPv6. Such protocol numbers are undefined or reserved.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5. Support.