|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: genuity - any good?
On Fri, Apr 12, 2002 at 05:23:04PM -0700, David Schwartz wrote: > > One common need for advertising small routes within large blocks > is dealing with dos attacks. If you have, say, 4 100Mbps circuits, and > 1.2.3.4 is being DOSed, you can advertise nothing but 1.2.3.4/32 on one > of the circuits and the DOS is now clamped at 100Mbps and everything > else will be fine. However, it's hard to work out in advance how not to > propogate the route outside the appropriate scope and how to do this > without special arrangements for that particular IP while still not > allowing every customer you have to advertise /32s for every IP they > own. Most providers have a community tag structure of some kind, where you can influence things like localpref and where your route is exported to. One of the ones people are finally starting to add is the blackhole community. If a customer sends you a route with a certain community tag, set next-hop to some specific IP which you route to null0 on all routers, and of course set no-export. You could even link this into an automated backscatter analysis system, so that if a customer is under attack from random source IPs and they announce a blackhole route for the IP(s) being attacked, you can have an automated system open a ticket with the attacking interfaces without having to spend XX minutes getting a qualified engineer on the phone. > The moral is, negotiate a reasonable BGP policy before you > pay/sign. Make sure what seems reasonable to you also seems reasonable > to your (prospective) provider. I think "most" providers have very ill defined BGP policies. Some providers use routing registries and tell you you're lucky if you get network change done within 24 hours. Some providers make you email them, and have a warm body "engineer" who knows just enough to type in the prefix lists, usually with typos. Some providers can support "/16 le 24" and some can't (and some can but neglected to tell their NOC). And then there is some definition of "big enough" at which most providers get tired of maintaining your filters (and assume you have enough clue to not mess up), and just remove them. Most make no guarantees of when they'll get around to taking care of filter changes, and if that's a problem well that's your fault because you should have planned your network changes better. If you have time on your hands and want to see the full range of policies in action from all the different transit providers, try becoming an InterNAP customer. :) Lets face it, most providers don't want their customers running BGP at all. It's more work for them, and more chances for you to break something. Infact in all statistical likelihood you probably read about it in a book and thought it was cool, and are in no way qualified to be using it anyways. :) When was the last time you saw a good document on how to setup routing registry stuff being distributed from an ISP to it's customers, that didn't contain "go read these RFC's and don't bother us"? Personally I find it distasteful that in order to be a "good net-citizen" every ISP needs to have a bunch of warm bodies or a perl monkey writing scripts to muck with router configs, just to keep a "dynamic" routing protocol from being "too dynamic". But I guess life isn't perfect. :) -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|