Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
ip (Security Screen)
Syntax
ip {bad-option;block-frag;loose-source-route-option;record-route-option;security-option;source-route-option;spoofing;stream-option;strict-source-route-option;tear-drop;timestamp-option;unknown-protocol;}
Hierarchy Level
[edit security screen ids-option screen-name ]
Release Information
Statement introduced in Release 8.5 of Junos OS.
Description
Configure IP layer IDS options.
Options
- bad-option—Detect and drop any packet with an incorrectly formatted IP option in the IP packet header. The device records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- block-frag—Enable IP packet fragmentation blocking.
- loose-source-route-option—Detect packets where the IP option is 3 (loose source routing), and record the event in the screen counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified. The type 0 routing header of the loose source route option is the only related header defined in IPv6 .
- record-route-option—Detect packets where the IP option is 7 (record route), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- security-option—Detect packets where the IP option is 2 (security), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- source-route-option—Detect packets, and record the event in the screen counters list for the ingress interface.
- spoofing—Prevent
spoofing attacks. Spoofing attacks occur when unauthorized agents
attempt to bypass firewall security by imitating valid client IP addresses.
Using the spoofing option invalidates such false source IP address
connections.
The default behavior is to base spoofing decisions on individual interfaces.
- stream-option—Detect packets where the IP option is 8 (stream ID), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- strict-source-route-option—Detect packets where the IP option is 9 (strict source routing), and record the event in the screen counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field. Currently, this screen option is applicable only to IPv4.
- tear-drop—Block the teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.
- timestamp-option—Detect packets where the IP option list includes option 4 (Internet timestamp), and record the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- unknown-protocol—Discard all received IP frames with protocol numbers greater than 137 for IPv4 and 139 for IPv6. Such protocol numbers are undefined or reserved.
Usage Guidelines
For configuration instructions and examples, see the Junos OS Security Configuration Guide.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
