[j-nsp] out-bound anti-spoofing rules when using community-based routing
David Ball
davidtball at gmail.com
Thu Jan 24 10:56:21 EST 2008
We use community-based routing for our internet customers in that
any static routes or accepted BGP routes are tagged with a community,
such that we'll know what we should and should not export to our
upstreams. This helps to avoid having to maintain large prefix-lists
on each node.
I'm now struggling to find another way to prevent our customers from
spoofing. The previous method relied on a firewall filter which
indeed references a prefix-list of all our customers' space. I'm
having a hard time getting away from this, as I can't create a
firewall filter which will look up the community assigned to a
source-address (to see if it's legitimately a customer).
How have others gotten around this? Am I overlooking something? Or
is maintaining large lists the only way to go ?
David
More information about the juniper-nsp
mailing list