[14624] in North American Network Operators' Group
Re: BGP community based IP filtering
daemon@ATHENA.MIT.EDU (Jerry Scharf)
Thu Jan 15 10:55:28 1998
To: Matt Ryan <matt@planet.net.uk>
cc: nanog@merit.edu
In-reply-to: Your message of "Thu, 15 Jan 1998 14:18:21 GMT."
<199801151418.JAA01435@merit.edu>
Date: Thu, 15 Jan 1998 07:46:12 -0800
From: Jerry Scharf <scharf@vix.com>
>
>
> I've been having an email discussion with a couple of Cisco engineers about
> how useful BGP community based IP filtering might be. The following IOS
> config fragment might help explain what I'm getting at:
>
> int fddi0
> ip access-group community-list 10 in
> !
> ip community-list 10 permit AA:BB
> ip community-list 10 permit CC:DD
> !
>
> If you are using communities to make your prefix announcements to peers,
> this then allows the router to filter incoming IP packets that match your
> announcements. Excepting things like CPU load, implementation details, etc
> do you think this would be helpful, or am I way off with this?
IMO, this still has the problem of there being a local agreement between the
peers that require them to have a clue or everyone has bogus announces. There
is hopefully going to be a presentation at NANOG by Tony and Yakov about
cryptographic signing of prefix origination. This is a load more work in
several ways, but it does strike at the heart of the problem.
jerry
>
>
> Regards
>
>
> Matt.
>
> ---
> Matt Ryan - Network Engineer matt@planet.net.uk
> Planet OnLine Ltd, The White House, Tel: +44 113 2345566
> Melbourne Street, Leeds, LS2 7PS, UK Fax: +44 113 2240003
>
