[j-nsp] Dynamic blocklists/blacklists...?
Piotr Marecki
peter at mareccy.org
Wed Aug 17 13:17:44 EDT 2005
>1) Write policy for forwarfing-table which classufy all prefixes with BGP
>community "bed-source" to source-class "source-to-discard".
>1a)(optionaly) Write policy for forwarfing-table which classufy all
>prefixes with BGP community "victims" to destination-class "victims".
>2) Write firewall-filter which match on source-class="source-to-discard"
>(AND optionaly destination-class="victims") with action discard.
>3) apply filter on output direction of interfaces
>
>This is not as granular as BGP-flow.
>This consumes one of 128 avaliable source/destination-classes.
>This requires application on multiple interfaces on edge router. (mostly
>core facing)
>
>But It should work. And Standard IPv4 BGP is enough.
>
>(I was not test this. Just share an idea. If somebody will do thest, then
>please tell me about results)
>
>Rafa³ Szarecki JNCIE
Ehlo ,
Your idea works well , with addition of set interfaces <*> unit <*> family
inet accounting source-class-usage input .
I wonder though if anyone tested how rpf/scu ( given that two ipv4/ipv6
lookups for packet has to be done ) influence
box performance.
regards
Piotr Marecki
More information about the juniper-nsp
mailing list