[94602] in North American Network Operators' Group
RE: Route Reflector architecture and how to get small customer blocks in to BGP?
daemon@ATHENA.MIT.EDU (John van Oppen)
Mon Jan 29 01:44:55 2007
Date: Sun, 28 Jan 2007 22:44:01 -0800
From: "John van Oppen" <john@vanoppen.com>
To: <nanog-post@rsuc.gweep.net>, "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
Yep, that is a good strategy... No announcement without the right
communities sure makes it much harder to leak.
We redistribute lots of static routed stuff into BGP, but only announce
globally using network statements with route map applying the right
communities. So far, we have never leaked internal routes to
customers, peers or transit that we are aware of.
John :)
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Joe Provo
Sent: Sunday, January 28, 2007 1:12 PM
To: NANOG
Subject: Re: Route Reflector architecture and how to get small customer
blocks in to BGP?
On Sun, Jan 28, 2007 at 10:59:50AM -0700, Danny McPherson wrote:
[snip]
> o If you're going to use redistribution - or not - ensure that all
> external advertisement policies require explicit match of advertise
> communities and default is to deny
This should be just good security policy. I think of it as a=20
network-level instance of "that which is not expressly permitted=20
is denied" which everyone applies for services on their hosts,
right :-)
Cheers,
Joe
--=20
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
