[68146] in North American Network Operators' Group
Re: UUNet Offer New Protection Against DDoS
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Wed Mar 3 17:15:24 2004
In-Reply-To: <Pine.LNX.4.44.0403032144510.15621-100000@server2.tcw.telecomplete.net>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Wed, 3 Mar 2004 17:14:30 -0500
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Mar 3, 2004, at 4:47 PM, Stephen J. Wilcox wrote:
> I'm puzzled by one aspect on the implementation.. how to build your
> customer
> prefix filters.. that is, we have prefix-lists for prefix and length.
> Therefore
> at present we can only accept a tagged route for a whole block.. not
> good if the
> announcement is a /16 etc !
MCI handles this by only filtering on prefix, not length. Well,
allowing you to only announce up to your length, not shorter, but
longer is allowed.
> Now, I could do as per the website at secsup.org which means we have a
> route-map
> entry to match the community before the filtering .. but that would
> allow the
> customer to null route any ip.
>
> What we need is one to allow them to announce any route including more
> specifics of the prefix list - how are folks doing this?
It's not hard. I think the old UUNET just used standard ACLs (1->99).
:) But with prefix filters, you can set gt & lt prefix lengths on the
filters trivially.
Of course, your customers can then deaggregate to their hearts content.
If they do, you should hunt them down and LART them. But it is useful
for some things, especially when combined with no_export, the
black-hole communities, or other communities.
--
TTFN,
patrick
