[j-nsp] RE: bgp config changes (was: autonomous-system N loop s L)

Fri Dec 12 23:32:08 EST 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#-----Original Message-----
#From: Richard A Steenbergen [mailto:ras at e-gerbil.net] 
#Sent: Friday, December 12, 2003 9:51 PM
#To: juniper-nsp at puck.nether.net
#Subject: Re: [j-nsp] RE: bgp config changes (was: 
#autonomous-system N loops L)
<snip>
#You wouldn't want the ability to mix "exact" and "orlonger" or even
a
#specific range in the same prefix-list?

You bet I would. 

#
#I do agree that putting it outside the prefix-list has some
advantages
#though. For example, one application which pops to mind that I've
had
#users hounding me about is the null route community, and the ability
to
#announce it on any IP in their set of registered routes all 
#the way up to
#a /32 without compromising the security of my network or others by
#allowing /32s to be announced as "non-null route".
#
#Thus you might have regular import for BGP routes which is done:
#
#from prefix-list blah upto /24;
#
#And then for null route community imports (which you would 
#probably want
#to set no-export, or say change next-hop to something aimed at a dsc
#interface with a filter that automatically forwards of a 
#policied amount 
#of packets over a pre-configured LSP to an analysis box for 
#DoS tracking, 
#or any number of other things):
#
#from prefix-list blah upto /32;
#
#Personally I'd like to have the modifiers available both inside and 
#outside the prefix-list, with a value outside the list overriding.

I agree.  There is no reason that the software can't provide this. 
Heck, it already does, with respect to route-filters.  I would hope
that Juniper would also agree on your idea regarding precedence.  It
seems against current Juniper convention to have the common modifier
applied within the policy, overriding the modifier applied to the
specific prefix.  But, in this application, the prefix-list's
functionality is only obtained by its use in the policy.  So
obviously the policy's modifiers should override.  You made me think
about it though. :)

Does anyone else ever wonder if the prefix-list and firewall policy
guy, ever talked to the route policy guy? :-)

#
#> - ability to use prefix-lists for snmp access control
#> 
#> :-$
#
#On a completely unrelated subject, if you don't already have it
(though
#somehow I suspect you do :P), make sure to add automatically 
#tuning prefix
#limits which track the normal number of prefixes + some configurable
#amount or percentage of burst, and block anything past that as 
#"abnormal"
#without the need to constantly scan peer prefix-limits adjusting for
#growth.

Hey now!  I spent a lot of time on these scripts. :)  Now what is
that server supposed to do?

I swear, both you and Daniel are reading my notes. :) 
Juniper...Please add me to the waiting list, as well (I know...I'll
talk to my rep).

Ben

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBP9qW2NFQh6ARB7TZEQKKoQCgzYAaoKOE4acigXgH3oLRPGlx5ZUAoOkJ
prKS3kAsr6CS8/2QLOd7Ym0V
=yYug
-----END PGP SIGNATURE-----