North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: UUNet Offer New Protection Against DDoS
- From: Patrick W.Gilmore
- Date: Wed Mar 03 17:16:52 2004
On Mar 3, 2004, at 4:47 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your
MCI handles this by only filtering on prefix, not length. Well,
allowing you to only announce up to your length, not shorter, but
longer is allowed.
prefix filters.. that is, we have prefix-lists for prefix and length.
at present we can only accept a tagged route for a whole block.. not
good if the
announcement is a /16 etc !
Now, I could do as per the website at secsup.org which means we have a
It's not hard. I think the old UUNET just used standard ACLs (1->99).
:) But with prefix filters, you can set gt & lt prefix lengths on the
entry to match the community before the filtering .. but that would
customer to null route any ip.
What we need is one to allow them to announce any route including more
specifics of the prefix list - how are folks doing this?
Of course, your customers can then deaggregate to their hearts content.
If they do, you should hunt them down and LART them. But it is useful
for some things, especially when combined with no_export, the
black-hole communities, or other communities.