|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP community based IP filtering
> > > I've been having an email discussion with a couple of Cisco engineers about > how useful BGP community based IP filtering might be. The following IOS > config fragment might help explain what I'm getting at: > > int fddi0 > ip access-group community-list 10 in > ! > ip community-list 10 permit AA:BB > ip community-list 10 permit CC:DD > ! > > If you are using communities to make your prefix announcements to peers, > this then allows the router to filter incoming IP packets that match your > announcements. Excepting things like CPU load, implementation details, etc > do you think this would be helpful, or am I way off with this? IMO, this still has the problem of there being a local agreement between the peers that require them to have a clue or everyone has bogus announces. There is hopefully going to be a presentation at NANOG by Tony and Yakov about cryptographic signing of prefix origination. This is a load more work in several ways, but it does strike at the heart of the problem. jerry > > > Regards > > > Matt. > > --- > Matt Ryan - Network Engineer [email protected] > Planet OnLine Ltd, The White House, Tel: +44 113 2345566 > Melbourne Street, Leeds, LS2 7PS, UK Fax: +44 113 2240003 >
|