|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: UUNet Offer New Protection Against DDoS
> > I'm puzzled by one aspect on the implementation.. how to build your customer > > prefix filters.. that is, we have prefix-lists for prefix and length. > > Therefore at present we can only accept a tagged route for a whole block.. > > not good if the announcement is a /16 etc ! > > MCI handles this by only filtering on prefix, not length. Well, > allowing you to only announce up to your length, not shorter, but > longer is allowed. Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in addition we have an extra filter which overrides anything that would deny anything longer than a /24. I'm not keen to change that.. LART appears to have little or no effect with my customers, preemption appears to be the only way! Steve > > Now, I could do as per the website at secsup.org which means we have a > > route-map > > entry to match the community before the filtering .. but that would > > allow the > > customer to null route any ip. > > > > What we need is one to allow them to announce any route including more > > specifics of the prefix list - how are folks doing this? > > It's not hard. I think the old UUNET just used standard ACLs (1->99). > :) But with prefix filters, you can set gt & lt prefix lengths on the > filters trivially. > > Of course, your customers can then deaggregate to their hearts content. > If they do, you should hunt them down and LART them. But it is useful > for some things, especially when combined with no_export, the > black-hole communities, or other communities. > >
|