North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: weird BGP cisco-ism? [problem resolved]

  • From: Chris Garner
  • Date: Sat Jul 12 01:12:44 1997

>
>
>> 
>> 	The problem with tagging everything a BGP customer passes to
>> you with the "export it" tag is that customers have been known to export
>> routes they shouldn't.  The ACL provides a sanity check without costing
>> much (if you've already got the database/distribution tools built).
>
>that's why you build customer ingress filters based on IRR info, as i've 
>mentioned several times now....
>
>-danny
>
>
>

	Dawn breaks....I missed that, but rereading your earlier
messages I get it.  So we agree that everyone should have an ACL
somewhere between the customer and any exterior connection.  You are
saying that building egress ACLs that include the routes from all the
ingress filters doesn't scale.  

	If you've got them built off a database of some sort (internal,
IRR, whatever) building and keeping them consistent should be straightforward.
So any scaling problems are related to CPU/memory/BGP slowdown due to
the size of the lists or to propagation delay of changes (waiting for database
updates to propagate out).

	Does anyone know how large an ACL can be before it causes
performance problems?  My egress filters are in the hundreds of lines -
does anyone run ciscos with 1000 line distribute-lists in BGP?  10K lines?

	Without the egress ACLs you still aren't protected if you forget
to add an ingress ACL or have some bogus route you've generated internally.
And I've seen both of those happen to NSPs.  If you've got ingress and
egress filters you do have better protection.

	I guess I'm just paranoid about routing information, so I filter
at every access point.

-- 

                                -Chris ([email protected])