[164778] in North American Network Operators' Group
Re: nLayer IP transit
daemon@ATHENA.MIT.EDU (Saku Ytti)
Thu Aug 1 02:14:14 2013
Date: Thu, 1 Aug 2013 09:13:59 +0300
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <CAJrnVYaD+u9CCtbUA9bK-XpXoca7FzR+EV950qaeUfSxq5Ye+A@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On (2013-08-01 10:00 +1000), Mark Tees wrote:
> I remember reading a while back that customers of nLayer IP transit
> services could send in Flowspec rules to nLayer. Anyone know if that is
> true/current?
Anyone planning to do this might want to be aware that the validation
process of flowspec does not limit actions.
In practice this means, if you do run flowspec to your customers, your
customers likely can inject traffic to arbitrary VRFs.
I feel RFC should have explicitly stated valid actions for validation
process, which operator MAY change, and any other action MUST cause
validation process to fail.
--
++ytti
