[j-nsp] flow-route questions.

[Alexandre Snarskii]

Hi!

While thinking about using RFC5575 (flow routes), i found at 
least some questions that i'm not able to answer.

a) RFC clearly states that 'flow routes must be validated' 
and describes validation procedure using destination-prefix 
attribute. But at the same time RFC does not enforce
destination-prefix attribute to be present in flow specifications,
and does not provide any detail on how to validate flow specifications
missing destination-prefix - i.e., should validation procedure
drop them all or should it accept all such flowspecs ? 
I suppose that as the latter case opens a too large security hole
(imagine customer that blackholes all google.com by setting only
source-address), JunOS implements former case at least on eBGP links, 
but that behaviour is not confirmed in documentation... 

b) As far as flow specs are the part of the same BGP session
as the usual inet-unicast routes - are they subject of the 
same import policy configured for peer/peer-group or the 
validation procedure is the only import policy for these NLRI ? 
If the former case is correct - are there any way to distinguish
inet-unicast and inet-flow NLRI ? (Why it's important for us: 
we're using prefix-filters to filter our client announces, 
and, as far as we should not require explicit route-object 
configured for any destination client may wish to filter - inet-unicast
routes should proceed filtered as usually, but for flowspec's
there is prefix-limit and validation procedure, and that seems
to be enough). 

c) Is there any way to filter some flow specifications from 
client announces ? F.e., i do not like idea that my customer 
may request mapping some traffic to network-control priority 
by the means of flowspecs... 

d) And, finally: unfortunately, not all our customers runs Juniper :( 
Is there any way to 'translate' some customer updates (classic 
blackhole by /32 route with specific community) into flow routes ?