[j-nsp] Generated prefix lists - simple solution to a range of problems?

[David Monosov]

Dear list,

Although I am sure the idea is nowhere revolutionary, there is a feature 
in JunOS I come to miss more and more with time; after a small review of 
the available JunOS documentation; I do not see any architectural 
problems preventing it's implementation. If anyone from Juniper is 
reading this - consider it a feature request ;)

It would be in my opinion incredibly useful to be able to dynamically 
generate prefix lists from routing protocols by applying one or several 
policies.

This would be handy for assorted black holes, rbls, firewall filters, 
bogons, etc.

A few simple examples to illustrate:

Bogon black hole:

- Import Cymru's bogon list from AS 65333, tagged with community 
65333:888 via BGP
- A prefix list called bogon-prefixes is generated using a policy which 
accepts only routes from that BGP peer, tagged with that community, and 
marks each route as "X.X.X.X/Y orlonger".
- I can now apply the generated prefix-list to my peers import policy as 
reject in order to reject *all* bogon routes, including more specifics.

Dynamic firewalling:

- Import via BGP from bgpd.pl running as AS 65535 with various 
communities for different ports (e.g. 65535:80, 65535:25, etc.) or 
similar which is hacked to receive dynamic updates from a Snort IDS
- A prefix list called dynamic-firewall-port80 is generated from all BGP 
routes imported as described above above with community 80
- A prefix list called dynamic-firewall-port25 is generated from all BGP 
routes imported as described above with community 25
- I can now apply the generated prefix-list to a firewall filter, 
specifying the generated prefix-list I'm interested in, and applying 
specific port filtering inside the filter.

... And many other uses which I'm sure I haven't even thought of yet.

Could this make it into one of the upcoming JunOS releases?

	Sincerely,

		D.