[c-nsp] Peer pointing default route to us

Gert Doering gert at greenie.muc.de
Tue Sep 30 07:38:40 EDT 2014


On Tue, Sep 30, 2014 at 08:20:05AM +0000, Vitkovský Adam wrote:
> It is really easy. 
> Just check the routes you advertise via BGP to your upstreams and create filters based on the outputs. 
> Apply the filters in the out direction. 
> If someone starts to complain they are definitely doing something fishy. 

This is actually pretty poor advice if you have downstream BGP that 
frequently (for whatever reasons) changes the prefix set they announce
to you.

BCP38 should be applied on ingress to your network (so you can see *who*
is sending you garbage), not on egress - and for BGP customers, it should
not be done by "looking at routes" but be integrated into the tool set
that updates your BGP ingress filters to update the ingress ACL right


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140930/d02ab9e4/attachment.sig>

More information about the cisco-nsp mailing list