[30247] in North American Network Operators' Group
Re: someone RBL'd a reserveD-8 number from IANA
daemon@ATHENA.MIT.EDU (Simon Leinen)
Thu Jul 20 17:57:55 2000
To: Paul Vixie <vixie@mibh.net>
Cc: nanog@merit.edu
From: Simon Leinen <simon@limmat.switch.ch>
In-Reply-To: Paul Vixie's message of "20 Jul 2000 10:21:10 -0700"
Date: 20 Jul 2000 23:55:47 +0200
Message-ID: <aad7k84gbg.fsf@limmat.switch.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "pv" == Paul Vixie <vixie@mibh.net> writes:
> I've also thought that if routers could filter based on lookup up
> source addresses in a BGP-made RIB, rather than just destination
> addresses, that the whole filtering-by-remote-control industry would
> appreciate the hell out of it. I'm pretty sure that both the 12016
> and M160 have the hardware it would take to do this at wire speed,
> but I'm also pretty sure that the market for this feature is
> perceived by both vendors as "small."
Cisco's "QoS Policy Propagation via BGP" could almost be used to
implement this. The feature is described in
http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/bgpprop.htm
You can map packets to a service policy according by source(!) or
destination address, using an index (the "qos-group") that is stored
in the FIB by a route-map action in BGP.
The only problem is to define a service policy that drops such packets
unconditionally. I haven't found a solution for that, but if there's
enough demand, Cisco could easily come up with such a service policy I
guess. Otherwise I think the following configuration should do it,
given a sufficiently recent IOS:
class-map illegal-source-addresses
match qos-group 78
!
policy-map drop-illegal-source-addresses
class illegal-source-addresses
!!! note: the following doesn't work because the bandwidth has to be
!!! at least 8 (kbps). Maybe Cisco could be talked into
!!! implementing a "drop" command that could be used instead.
bandwidth 0
!
interface POS2/1/0
description Evil Outside World
bgp-policy source ip-qos-map
!
router bgp 1234
table-map mark-illegal-source-addresses
neighbor 5.6.7.8 description Vixie's BGP Feed Of Illegal Prefixes
neighbor 5.6.7.8 remote-as 5678
!
ip as-patch access-list 56 permit ^5678_
!
route-map mark-illegal-source-addresses
match as-path 56
set ip qos-group 78
--
Simon.
