[45146] in North American Network Operators' Group
Re: FW: router startup behavior
daemon@ATHENA.MIT.EDU (Stephen Griffin)
Fri Jan 18 16:04:42 2002
Message-Id: <200201182103.QAA18348@elektra.ultra.net>
In-Reply-To: <20020118051152.GJ2172@puck.nether.net> from Jared Mauch at "Jan 18, 2002 00:11:52 am"
To: jared@puck.Nether.net (Jared Mauch)
Date: Fri, 18 Jan 2002 16:03:35 -0500 (EST)
From: Stephen Griffin <stephen.griffin@rcn.com>
Cc: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
In the referenced message, Jared Mauch said:
>
> You may want to consider using tftp/rcp/whatnot loaded
> files for this.
>
> As it loads [most if not all depending on the config length] all
> of the config then parses it promptly.
>
> this will prevent leakage in rare cases.
>
> - jared
I have noted that even tftp-loaded files run the risk of a BGP scan
occuring between the parsing of "no access-list foo" and the parsing
of the first "access-list foo" line. It appears Brand C takes the
non-existance of an access-list to mean "implicit permit". I think this
is probably the source of much of the seen mini-leaks.
As someone else mentioned, prefix-lists (again brand C) do allow for
insertion and deletion of individual items at "any" point in the list,
so may be a good workaround. However, if you are doing anything at all
"interesting" in your acls, it becomes a lot more difficult to translate
over to prefix-lists.
One major item that seems missing is the ability to match less-specifics.
There are certain instances when this would be really nifty. Brand C
extended acls, and Brand J prefix-lists seem to be able to partially cover
this, but not perfectly.
