North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP community based IP filtering

  • From: Jerry Scharf
  • Date: Thu Jan 15 10:54:50 1998

> I've been having an email discussion with a couple of Cisco engineers about
> how useful BGP community based IP filtering might be. The following IOS
> config fragment might help explain what I'm getting at:
> int fddi0
>  ip access-group community-list 10 in
> !
> ip community-list 10 permit AA:BB
> ip community-list 10 permit CC:DD
> !
> If you are using communities to make your prefix announcements to peers,
> this then allows the router to filter incoming IP packets that match your
> announcements. Excepting things like CPU load, implementation details, etc
> do you think this would be helpful, or am I way off with this?

IMO, this still has the problem of there being a local agreement between the 
peers that require them to have a clue or everyone has bogus announces. There 
is hopefully going to be a presentation at NANOG by Tony and Yakov about 
cryptographic signing of prefix origination. This is a load more work in 
several ways, but it does strike at the heart of the problem.


> Regards
> Matt.
> ---
> Matt Ryan - Network Engineer                    [email protected]
> Planet OnLine Ltd, The White House,             Tel: +44 113 2345566
> Melbourne Street, Leeds, LS2 7PS, UK            Fax: +44 113 2240003