[c-nsp] prefix lists updates and max prefix filters
Mack McBride
mack.mcbride at viawest.com
Thu Dec 8 12:54:54 EST 2011
I should have said not filtering with a prefix list is not really an answer.
Any time the route-map has to be changed you can and often do get leakage.
Therefore you need a second method of filtering.
The upstream should also be filtering.
<rant> If everyone used route registries to generate prefix lists and kept them up to date
this wouldn't be as much of an issue. </rant>
Thankfully with IPv6 most ASNs will only have one prefix and most of these issues are
significantly reduced. Ie. The prefix list at this point has a maximum of 7K entries.
LR Mack McBride
Network Architect
-----Original Message-----
From: Pete Templin [mailto:petelists at templin.org]
Sent: Thursday, December 08, 2011 10:47 AM
To: Mack McBride
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] prefix lists updates and max prefix filters
On 12/8/2011 11:37 AM, Mack McBride wrote:
> Not filtering announcements isn't really an answer.
> You run into the same problems with a route-map.
> The best solution is to use both a route-map and a prefix-filter.
> Your upstream should also be using a filter.
Say what? Nobody's recommending that the OP not filter. They're recommending that they filter on the way into their network, where the filtering can be done at a very granular level (this customer can send me this, that customer can send me that). Any routes that meet said criteria are given a certificate (in the form of a 32-bit BGP community) indicating it's allowed to exist and allowed to leave. At egress points, the only routes allowed to leave are those that possess the magic certificate. Easy (in the grand scheme of things), scalable (new customer only requires provisioning at the ingress router), done.
pt
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Blake Dunlap
> Sent: Monday, December 05, 2011 11:35 AM
> To: James Ashton
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] prefix lists updates and max prefix filters
>
> This is straight up a design problem. Don't filter what you announce, filter what you accept, and allow what you specify via route map community matching out.
(And Gert posted a more-detailed version of this.)
More information about the cisco-nsp
mailing list