[10699] in North American Network Operators' Group
Re: weird BGP cisco-ism? [problem resolved]
daemon@ATHENA.MIT.EDU (Charles Sprickman)
Sat Jul 12 00:27:24 1997
Date: Sat, 12 Jul 1997 00:17:56 -0400 (EDT)
From: Charles Sprickman <spork@inch.com>
To: Robert Gutierrez <Robert_Gutierrez@3mail.3Com.com>
cc: nanog@merit.edu
In-Reply-To: <33C6E6E9.5B17@3mail.3Com.com>
Not to totally go off the subject, but if you have a ruleset like this
implemented for all of your customers, what type of extra load does the
route filtering impose on a router? We're a rather small ISP, and we
don't use BGP at all, I'm just curious what type of impact this has.
Thanks,
Charles
On Fri, 11 Jul 1997, Robert Gutierrez wrote:
> your other BGP peers? Inbound, I mean. Very simple:
>
> router bgp 1
> neighbor 10.1.1.1 remote-as 2
> neighbor 10.1.1.1 filter-list 99 in
>
> as-path access-list 99 deny ^$
> as-path access-list 99 deny ^1_
> [etc -- however you want to set it up]
>
> Isn't this akin to wearing a condom nowadays in the 'net BGP routing
> warz.
>
> Before I left my last job, I was on my way to installing anal as-path
> access
> lists for our own customers who did BGP to prevent the above and also
> prevent another Florida fiasco. The idea was that we would only accept
> explicit addresses from those BGP peers. All that was need was to add a
> list for each peer:
>
> neighbor 10.1.1.1 distribute-list 10 in
> access-list 10 permit 172.16.0.0
>
> or even worse, enforce CIDR/prevent subnets by only accpeting the
> specific
> block advertisement:
>
> distribute-list 101 permit 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0
>
> Just good practice to me :) Hopefully everybody else is doing the
> same???
>
>
> Rob Gutierrez / 3Com - GIS Internet Security
>
