[j-nsp] Filtering people pointing default
Stephen Gill
gillsr at yahoo.com
Fri Aug 1 22:08:46 EDT 2003
Richard,
I definitely agree - this is something I've wanted for a while, but I
don't know how feasible it would be. Something like this would have a
LOT of positive implications.
-- steve
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Richard A
Steenbergen
Sent: Friday, August 01, 2003 7:49 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Filtering people pointing default
Has anyone actually implemented an "anti peers pointing default at you"
filter, specifically to discard any packet sent to a route which doesn't
belong to a customer?
A routing-instance populated by only customer/internal/interface routes
should mostly work (except in the case where a non-customer is
announcing
a more specific route of a block announced by a customer, but how often
does that happen? :P), but it doesn't seem to have quite the results I
would expect (namely no bgp, no forwarding packets, etc).
How difficult would it be for Juniper to implement a dynamic
prefix-list,
which could be populated by matching from a policy-statement? The
dynamic
prefix-list could then be used in a firewall filter to do a wide variety
of useful things. For example, you could create a dynamic prefix-list
which contains all your customer routes matched via a BGP community, and
then apply QoS/CoS/filtering/etc in a firewall statement. Would the
router need to recompile the firewall filters and transfer a large set
of
prefixes with every routing change, or would the prefix-list be
maintained in a seperate piece of memory with only a reference pointing
to it from the firewall? Would the box be able to keep up with such a
large number of prefixes and frequent changes? The usefulness of such a
feature knows no bounds in my eyes...
--
Richard A Steenbergen <ras at e-gerbil.net>
http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
2CBC)
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list