[68147] in North American Network Operators' Group
Re: UUNet Offer New Protection Against DDoS
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Wed Mar 3 17:22:49 2004
Date: Wed, 3 Mar 2004 22:22:16 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: "Patrick W.Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu
In-Reply-To: <24564F84-6D60-11D8-9FB9-000A9578BB58@ianai.net>
Errors-To: owner-nanog-outgoing@merit.edu
> > I'm puzzled by one aspect on the implementation.. how to build your customer
> > prefix filters.. that is, we have prefix-lists for prefix and length.
> > Therefore at present we can only accept a tagged route for a whole block..
> > not good if the announcement is a /16 etc !
>
> MCI handles this by only filtering on prefix, not length. Well,
> allowing you to only announce up to your length, not shorter, but
> longer is allowed.
Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in
addition we have an extra filter which overrides anything that would deny
anything longer than a /24. I'm not keen to change that.. LART appears to have
little or no effect with my customers, preemption appears to be the only way!
Steve
> > Now, I could do as per the website at secsup.org which means we have a
> > route-map
> > entry to match the community before the filtering .. but that would
> > allow the
> > customer to null route any ip.
> >
> > What we need is one to allow them to announce any route including more
> > specifics of the prefix list - how are folks doing this?
>
> It's not hard. I think the old UUNET just used standard ACLs (1->99).
> :) But with prefix filters, you can set gt & lt prefix lengths on the
> filters trivially.
>
> Of course, your customers can then deaggregate to their hearts content.
> If they do, you should hunt them down and LART them. But it is useful
> for some things, especially when combined with no_export, the
> black-hole communities, or other communities.
>
>
