[j-nsp] Filtering people pointing default
Richard A Steenbergen
ras at e-gerbil.net
Fri Aug 1 21:49:10 EDT 2003
Has anyone actually implemented an "anti peers pointing default at you"
filter, specifically to discard any packet sent to a route which doesn't
belong to a customer?
A routing-instance populated by only customer/internal/interface routes
should mostly work (except in the case where a non-customer is announcing
a more specific route of a block announced by a customer, but how often
does that happen? :P), but it doesn't seem to have quite the results I
would expect (namely no bgp, no forwarding packets, etc).
How difficult would it be for Juniper to implement a dynamic prefix-list,
which could be populated by matching from a policy-statement? The dynamic
prefix-list could then be used in a firewall filter to do a wide variety
of useful things. For example, you could create a dynamic prefix-list
which contains all your customer routes matched via a BGP community, and
then apply QoS/CoS/filtering/etc in a firewall statement. Would the
router need to recompile the firewall filters and transfer a large set of
prefixes with every routing change, or would the prefix-list be
maintained in a seperate piece of memory with only a reference pointing
to it from the firewall? Would the box be able to keep up with such a
large number of prefixes and frequent changes? The usefulness of such a
feature knows no bounds in my eyes...
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list