[j-nsp] Dynamic blocklists/blacklists...?

Piotr Marecki peter at mareccy.org
Wed Aug 17 13:17:44 EDT 2005


>1) Write policy for forwarfing-table which classufy all prefixes with BGP 
>community "bed-source" to source-class "source-to-discard".
>1a)(optionaly) Write policy for forwarfing-table which classufy all 
>prefixes with BGP community "victims" to destination-class "victims".
>2) Write firewall-filter which match on source-class="source-to-discard" 
>(AND optionaly destination-class="victims") with action discard.
>3) apply filter on output direction of interfaces
>
>This is not as granular as BGP-flow.
>This consumes one of 128 avaliable source/destination-classes.
>This requires application on multiple interfaces on edge router. (mostly 
>core facing)
>
>But It should work. And Standard IPv4 BGP is enough.
>
>(I was not test this. Just share an idea. If somebody will do thest, then 
>please tell me about results)
>
>Rafa³ Szarecki JNCIE


Ehlo ,

Your  idea works well , with addition of set interfaces <*> unit <*> family 
inet accounting source-class-usage input .
I wonder though if anyone tested how rpf/scu ( given that two ipv4/ipv6 
lookups for packet has to be done ) influence
box performance.

regards

Piotr Marecki






More information about the juniper-nsp mailing list