[j-nsp] Filtering people pointing default

Stephen Gill gillsr at yahoo.com
Fri Aug 1 22:08:46 EDT 2003


Richard,
I definitely agree - this is something I've wanted for a while, but I
don't know how feasible it would be.  Something like this would have a
LOT of positive implications.

-- steve

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Richard A
Steenbergen
Sent: Friday, August 01, 2003 7:49 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Filtering people pointing default

Has anyone actually implemented an "anti peers pointing default at you" 
filter, specifically to discard any packet sent to a route which doesn't

belong to a customer?

A routing-instance populated by only customer/internal/interface routes
should mostly work (except in the case where a non-customer is
announcing
a more specific route of a block announced by a customer, but how often 
does that happen? :P), but it doesn't seem to have quite the results I 
would expect (namely no bgp, no forwarding packets, etc).

How difficult would it be for Juniper to implement a dynamic
prefix-list,
which could be populated by matching from a policy-statement? The
dynamic
prefix-list could then be used in a firewall filter to do a wide variety
of useful things. For example, you could create a dynamic prefix-list
which contains all your customer routes matched via a BGP community, and
then apply QoS/CoS/filtering/etc in a firewall statement. Would the 
router need to recompile the firewall filters and transfer a large set
of 
prefixes with every routing change, or would the prefix-list be 
maintained in a seperate piece of memory with only a reference pointing 
to it from the firewall? Would the box be able to keep up with such a 
large number of prefixes and frequent changes? The usefulness of such a 
feature knows no bounds in my eyes...

-- 
Richard A Steenbergen <ras at e-gerbil.net>
http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list