North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: BGP community based IP filtering
- From: Jerry Scharf
- Date: Thu Jan 15 10:54:50 1998
>
>
> I've been having an email discussion with a couple of Cisco engineers about
> how useful BGP community based IP filtering might be. The following IOS
> config fragment might help explain what I'm getting at:
>
> int fddi0
> ip access-group community-list 10 in
> !
> ip community-list 10 permit AA:BB
> ip community-list 10 permit CC:DD
> !
>
> If you are using communities to make your prefix announcements to peers,
> this then allows the router to filter incoming IP packets that match your
> announcements. Excepting things like CPU load, implementation details, etc
> do you think this would be helpful, or am I way off with this?
IMO, this still has the problem of there being a local agreement between the
peers that require them to have a clue or everyone has bogus announces. There
is hopefully going to be a presentation at NANOG by Tony and Yakov about
cryptographic signing of prefix origination. This is a load more work in
several ways, but it does strike at the heart of the problem.
jerry
>
>
> Regards
>
>
> Matt.
>
> ---
> Matt Ryan - Network Engineer matt@planet.net.uk
> Planet OnLine Ltd, The White House, Tel: +44 113 2345566
> Melbourne Street, Leeds, LS2 7PS, UK Fax: +44 113 2240003
>
|
