North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: someone RBL'd a reserveD-8 number from IANA
>>>>> "pv" == Paul Vixie <[email protected]> writes: > I've also thought that if routers could filter based on lookup up > source addresses in a BGP-made RIB, rather than just destination > addresses, that the whole filtering-by-remote-control industry would > appreciate the hell out of it. I'm pretty sure that both the 12016 > and M160 have the hardware it would take to do this at wire speed, > but I'm also pretty sure that the market for this feature is > perceived by both vendors as "small." Cisco's "QoS Policy Propagation via BGP" could almost be used to implement this. The feature is described in http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/bgpprop.htm You can map packets to a service policy according by source(!) or destination address, using an index (the "qos-group") that is stored in the FIB by a route-map action in BGP. The only problem is to define a service policy that drops such packets unconditionally. I haven't found a solution for that, but if there's enough demand, Cisco could easily come up with such a service policy I guess. Otherwise I think the following configuration should do it, given a sufficiently recent IOS: class-map illegal-source-addresses match qos-group 78 ! policy-map drop-illegal-source-addresses class illegal-source-addresses !!! note: the following doesn't work because the bandwidth has to be !!! at least 8 (kbps). Maybe Cisco could be talked into !!! implementing a "drop" command that could be used instead. bandwidth 0 ! interface POS2/1/0 description Evil Outside World bgp-policy source ip-qos-map ! router bgp 1234 table-map mark-illegal-source-addresses neighbor 5.6.7.8 description Vixie's BGP Feed Of Illegal Prefixes neighbor 5.6.7.8 remote-as 5678 ! ip as-patch access-list 56 permit ^5678_ ! route-map mark-illegal-source-addresses match as-path 56 set ip qos-group 78 -- Simon.
|