[j-nsp] Filtering people pointing default

Richard A Steenbergen ras at e-gerbil.net
Fri Aug 1 21:49:10 EDT 2003


Has anyone actually implemented an "anti peers pointing default at you" 
filter, specifically to discard any packet sent to a route which doesn't 
belong to a customer?

A routing-instance populated by only customer/internal/interface routes
should mostly work (except in the case where a non-customer is announcing
a more specific route of a block announced by a customer, but how often 
does that happen? :P), but it doesn't seem to have quite the results I 
would expect (namely no bgp, no forwarding packets, etc).

How difficult would it be for Juniper to implement a dynamic prefix-list,
which could be populated by matching from a policy-statement? The dynamic
prefix-list could then be used in a firewall filter to do a wide variety
of useful things. For example, you could create a dynamic prefix-list
which contains all your customer routes matched via a BGP community, and
then apply QoS/CoS/filtering/etc in a firewall statement. Would the 
router need to recompile the firewall filters and transfer a large set of 
prefixes with every routing change, or would the prefix-list be 
maintained in a seperate piece of memory with only a reference pointing 
to it from the firewall? Would the box be able to keep up with such a 
large number of prefixes and frequent changes? The usefulness of such a 
feature knows no bounds in my eyes...

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list