[j-nsp] Dynamic blocklists/blacklists...?
Rafal Szarecki (WA/EPO)
rafal.szarecki at ericsson.com
Thu Aug 18 04:48:20 EDT 2005
> > This is not as granular as BGP-flow.
> > But It should work. And Standard IPv4 BGP is enough.
> standard bgp is not enough when:
> a) You want a more-specific filter (e.g. 5 tuple).
> b) You actually want to automatically validate the filters.
I just try to address case when: older JUNOS is used (ISP is scepticat in upgrading SW too fast, if works), or multi-vendor network where BGP flow AF is not supported on all devices.
I rather try to mimic IOS urpf behavior then compete with BGP flow solution...
> The current scheme of propagating /32s for black-holes has no such
> way to validate information. As such ISPs are very skeptical of
> propagating those /32s across more that 1 hop...
You mean 1 AS hop? Of course I aggree.
More information about the juniper-nsp