[j-nsp] dynamic prefix list based on as-path .. is it possible?

Jeff Haas jhaas at juniper.net
Wed Jul 29 10:02:44 EDT 2015


Tim,

> On Jul 28, 2015, at 6:49 PM, tim tiriche <tim.tiriche at gmail.com> wrote:
> 
> Hello,
> 
> Goal: on transit provider link, allow ASN XYZ to reach port 80 and drop all
> other destined to port 80?
> 
> 
> I don't want to build a static filter as ASN XYZ could have additional
> updates.
> Not sure if flowspec can match on as-path?

Flowspec can't currently match as-path.  It's an interesting thought, would have some tricky deployment issues.

Do you match only on path for active route?
All Adj-Rib-In routes?  (Restrict to ones eligible for selection?)

I think the issue would eventually devolve down to wanting to have the full set of eligible paths regardless of selection and regardless of where the box in your network is.  This is problematic.

Some solutions that suggest themselves using other tools is using IRR data or RPKI ROA objects to generate the list, but then you'd still need to push it to your router.  And of course, there's still periodic scraping of routes to build/update the lists.

I don't have a clean answer, but it's leading me to ponder some.

- Jeff


More information about the juniper-nsp mailing list