North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UUNet Offer New Protection Against DDoS

  • From: Patrick W.Gilmore
  • Date: Wed Mar 03 17:42:37 2004 
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore at present we can only accept a tagged route for a whole block..
not good if the announcement is a /16 etc !
MCI handles this by only filtering on prefix, not length.  Well,
allowing you to only announce up to your length, not shorter, but
longer is allowed.
Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in
addition we have an extra filter which overrides anything that would deny
anything longer than a /24. I'm not keen to change that.. LART appears to have
little or no effect with my customers, preemption appears to be the only way!
What's wrong with letting customers announce /32s into your network, as long as you do not pass it to anyone else (including other customers)?

Here is what I did (when I had a network =) :
* Prefix filter customers in, allowing more specifics
* Filter > /24s & Bogons out to customers
* Bogon & /24 filter peers in
* Bogon, /24, and cust-only community filter peers out

Theoretically, the Bogon out filters are irrelevant, since your table should be clean from the inbound filters, but I like "belt and suspenders". (Plus one day I leaked a slew of 10-net from a NOC test LAN and hit one of the Merit instability mailing lists. Burned once, twice shy. :)

--
TTFN,
patrick