[c-nsp] Peer pointing default route to us
Vitkovský Adam
adam.vitkovsky at swan.sk
Tue Sep 30 05:37:43 EDT 2014
Hi Lukas,
> -----Original Message-----
> From: Lukas Tribus [mailto:luky-37 at hotmail.com]
> Sent: Tuesday, September 30, 2014 10:49 AM
> To: Vitkovský Adam; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Peer pointing default route to us
>
> Hi,
>
>
> > But most importantly.
> > Even though the above is not implemented they should not be able to
> > exit your network via your upstream or peering links if you have the
> > BCP 38 filtering implemented.
>
> BCP 38 is about ingress filtering on customer links, not egress filtering on
> peers/upstream links, or am I missing something?
Yes ideally.
> > Would you please consider implementing filters on your upstream links
> > to only allow prefixes that you actually advertise to your upstreams
> > to exit your network?
> >
> > It is really easy.
> > Just check the routes you advertise via BGP to your upstreams and
> > create filters based on the outputs.
> > Apply the filters in the out direction.
>
> Are you talking about static ACLs matching source IPs and applying it in the
> egress direction on peers/upstreams?
>
> I don't see how that is supposed to scale.
It depends on the network scale. If you are advertising 10k+ prefixes it might be cumbersome.
> BCP38 (ingress filtering) sure, but egress filtering will just break your
> network, imho.
How?
adam
More information about the cisco-nsp
mailing list