[68149] in North American Network Operators' Group
Re: UUNet Offer New Protection Against DDoS
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Wed Mar 3 17:41:07 2004
In-Reply-To: <Pine.LNX.4.44.0403032220260.15621-100000@server2.tcw.telecomplete.net>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Wed, 3 Mar 2004 17:40:29 -0500
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
>>> I'm puzzled by one aspect on the implementation.. how to build your
>>> customer
>>> prefix filters.. that is, we have prefix-lists for prefix and length.
>>> Therefore at present we can only accept a tagged route for a whole
>>> block..
>>> not good if the announcement is a /16 etc !
>>
>> MCI handles this by only filtering on prefix, not length. Well,
>> allowing you to only announce up to your length, not shorter, but
>> longer is allowed.
>
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing
> this, in
> addition we have an extra filter which overrides anything that would
> deny
> anything longer than a /24. I'm not keen to change that.. LART appears
> to have
> little or no effect with my customers, preemption appears to be the
> only way!
What's wrong with letting customers announce /32s into your network, as
long as you do not pass it to anyone else (including other customers)?
Here is what I did (when I had a network =) :
* Prefix filter customers in, allowing more specifics
* Filter > /24s & Bogons out to customers
* Bogon & /24 filter peers in
* Bogon, /24, and cust-only community filter peers out
Theoretically, the Bogon out filters are irrelevant, since your table
should be clean from the inbound filters, but I like "belt and
suspenders". (Plus one day I leaked a slew of 10-net from a NOC test
LAN and hit one of the Merit instability mailing lists. Burned once,
twice shy. :)
--
TTFN,
patrick
