[j-nsp] Dynamic blocklists/blacklists...?

Chris Morrow morrowc at ops-netman.net
Tue Aug 16 14:16:50 EDT 2005


On Tue, 16 Aug 2005, Michael Loftis wrote:

>
>
> --On August 16, 2005 10:49:02 AM -0700 Pedro Roque Marques
> <roque at juniper.net> wrote:
>
>> On Tue, 2005-08-16 at 17:22 +0000, Jared Mauch wrote:
>>
>>>> To me....it just seems far easier to have the route server broadcast
>>>> the  data via iBGP...
>>>
>>> 	So would something like this help?
>
> That is exactly what I really want. :)
>

note that additions to BGP could be considered dangerous, especially wrt 
testing and validating new code releases or updates during incidents. If 
you are trying to implement dynamic blocklists why not just have 
bgpd/quagga send you routes with a nexthop you are blackholing? then 
urpf-loose your interfaces on devices you want to drop said traffic on?

> I'll read the doc's Pedro linked, but I think this is the perfect tool for
> my problems.  I was unaware anyone had actually implemented it.  Sometimes
> I make a compromise too early figuring that the solution isn't quite there
> yet.  I guess in this case I don't need to.
>
> This is a very worthwhile bit of specification considering today's network
> environment.
>
> Thanks Pedro, Jared! (in no particular order there)
>
>>>
>>> http://www.tcb.net/draft-marques-idr-flow-spec-00.txt
>>>
>>
>> There is more recent version:
>> http://professional.juniper.net/roque/draft-marques-idr-flow-spec-02.txt
>>
>> more info:
>> http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing
>> /html/routing-tables-config52.html
>> http://professional.juniper.net/roque/traffic-filter.pdf
>>
>>   Pedro.
>>
>
>
>
> --
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list