[c-nsp] Peer pointing default route to us
Gert Doering
gert at greenie.muc.de
Tue Sep 30 07:38:40 EDT 2014
Hi,
On Tue, Sep 30, 2014 at 08:20:05AM +0000, Vitkovský Adam wrote:
> It is really easy.
> Just check the routes you advertise via BGP to your upstreams and create filters based on the outputs.
> Apply the filters in the out direction.
> If someone starts to complain they are definitely doing something fishy.
This is actually pretty poor advice if you have downstream BGP that
frequently (for whatever reasons) changes the prefix set they announce
to you.
BCP38 should be applied on ingress to your network (so you can see *who*
is sending you garbage), not on egress - and for BGP customers, it should
not be done by "looking at routes" but be integrated into the tool set
that updates your BGP ingress filters to update the ingress ACL right
away.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140930/d02ab9e4/attachment.sig>
More information about the cisco-nsp
mailing list