North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: UUNet Offer New Protection Against DDoS
- From: Patrick W.Gilmore
- Date: Wed Mar 03 17:42:37 2004
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your
customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore at present we can only accept a tagged route for a whole
block..
not good if the announcement is a /16 etc !
MCI handles this by only filtering on prefix, not length. Well,
allowing you to only announce up to your length, not shorter, but
longer is allowed.
Hmm not keen, have moved acl->prefix w/len to stop folks from doing
this, in
addition we have an extra filter which overrides anything that would
deny
anything longer than a /24. I'm not keen to change that.. LART appears
to have
little or no effect with my customers, preemption appears to be the
only way!
What's wrong with letting customers announce /32s into your network, as
long as you do not pass it to anyone else (including other customers)?
Here is what I did (when I had a network =) :
* Prefix filter customers in, allowing more specifics
* Filter > /24s & Bogons out to customers
* Bogon & /24 filter peers in
* Bogon, /24, and cust-only community filter peers out
Theoretically, the Bogon out filters are irrelevant, since your table
should be clean from the inbound filters, but I like "belt and
suspenders". (Plus one day I leaked a slew of 10-net from a NOC test
LAN and hit one of the Merit instability mailing lists. Burned once,
twice shy. :)
--
TTFN,
patrick
|
