[179521] in North American Network Operators' Group
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Apr 16 17:30:38 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <55301E9B.4010601@bogus.com>
Date: Thu, 16 Apr 2015 17:30:35 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: joel jaeggli <joelja@bogus.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, Apr 16, 2015 at 4:42 PM, joel jaeggli <joelja@bogus.com> wrote:
> On 4/16/15 1:30 PM, Valdis.Kletnieks@vt.edu wrote:
>> On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
>>
>>> If you don't want packets from 1312 don't announce to them?
>>
>> I'm probably at least 4-5 AS's away, and you're probably routed to us
>> through Cogent or similar large transit. Feel free to not announce your
>> routes to Cogent because you don't want packets from my AS...
>>
>> (For whatever value of "Cogent" you have for your upstream)
>
> bearing in mind that transit providers rarely give you communities to
> influence their customers, just peers. There is an illusion of control
> that provider no export communities provide that always requires
> confirmation when applied. if 1312 buys the full internet cone they can
> also install a default. so they can send you packets even if they in
> fact do not have your route.
lesson learned don't use an example...
Note I also said:
" (or othersimilar options)."
(ha! here's more examples!)
o poison the route with remote asn' in the aspath! (except for
default followers)
o ask for packet filter from upstream isp
o stop announcing your route
o filter on your side of the fence.
in any case the idea still seems silly.
