North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: UUNet Offer New Protection Against DDoS
- From: Patrick W.Gilmore
- Date: Wed Mar 03 17:42:37 2004
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
What's wrong with letting customers announce /32s into your network, as
long as you do not pass it to anyone else (including other customers)?
Hmm not keen, have moved acl->prefix w/len to stop folks from doing
I'm puzzled by one aspect on the implementation.. how to build your
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore at present we can only accept a tagged route for a whole
not good if the announcement is a /16 etc !
MCI handles this by only filtering on prefix, not length. Well,
allowing you to only announce up to your length, not shorter, but
longer is allowed.
addition we have an extra filter which overrides anything that would
anything longer than a /24. I'm not keen to change that.. LART appears
little or no effect with my customers, preemption appears to be the
Here is what I did (when I had a network =) :
* Prefix filter customers in, allowing more specifics
* Filter > /24s & Bogons out to customers
* Bogon & /24 filter peers in
* Bogon, /24, and cust-only community filter peers out
Theoretically, the Bogon out filters are irrelevant, since your table
should be clean from the inbound filters, but I like "belt and
suspenders". (Plus one day I leaked a slew of 10-net from a NOC test
LAN and hit one of the Merit instability mailing lists. Burned once,
twice shy. :)