[j-nsp] Dynamic blocklists/blacklists...?

Rafal Szarecki (WA/EPO) rafal.szarecki at ericsson.com
Thu Aug 18 04:48:20 EDT 2005


Pedro,

> > This is not as granular as BGP-flow.
> > But It should work. And Standard IPv4 BGP is enough.
> standard bgp is not enough when:
> a) You want a more-specific filter (e.g. 5 tuple).
> b) You actually want to automatically validate the filters.

I just try to address case when: older JUNOS is used (ISP is scepticat in upgrading SW too fast, if works), or multi-vendor network where BGP flow AF is not supported on all devices.
I rather try to mimic IOS urpf behavior then compete with BGP flow solution...

>    The current scheme of propagating /32s for black-holes has no such
> way to validate information. As such ISPs are very skeptical of
> propagating those /32s across more that 1 hop...
> 
You mean 1 AS hop?  Of course I aggree.



More information about the juniper-nsp mailing list