Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UUNet Offer New Protection Against DDoS

  • From: Stephen J. Wilcox
  • Date: Wed Mar 03 17:24:43 2004

> > I'm puzzled by one aspect on the implementation.. how to build your customer
> > prefix filters.. that is, we have prefix-lists for prefix and length.  
> > Therefore at present we can only accept a tagged route for a whole block..
> > not good if the announcement is a /16 etc !
> 
> MCI handles this by only filtering on prefix, not length.  Well, 
> allowing you to only announce up to your length, not shorter, but 
> longer is allowed.

Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in 
addition we have an extra filter which overrides anything that would deny 
anything longer than a /24. I'm not keen to change that.. LART appears to have 
little or no effect with my customers, preemption appears to be the only way!

Steve


> > Now, I could do as per the website at secsup.org which means we have a 
> > route-map
> > entry to match the community before the filtering .. but that would 
> > allow the
> > customer to null route any ip.
> >
> > What we need is one to allow them to announce any route including more
> > specifics of the prefix list - how are folks doing this?
> 
> It's not hard.  I think the old UUNET just used standard ACLs (1->99). 
> :)  But with prefix filters, you can set gt & lt prefix lengths on the 
> filters trivially.
> 
> Of course, your customers can then deaggregate to their hearts content. 
>   If they do, you should hunt them down and LART them.  But it is useful 
> for some things, especially when combined with no_export, the 
> black-hole communities, or other communities.
> 
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.