nLayer IP transit

• Previous message (by thread): nLayer IP transit
• Next message (by thread): nLayer IP transit
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 01, 2013 at 09:13:59AM +0300, Saku Ytti wrote:
> On (2013-08-01 10:00 +1000), Mark Tees wrote:
> 
> > I remember reading a while back that customers of nLayer IP transit
> > services could send in Flowspec rules to nLayer. Anyone know if that is
> > true/current?
> 
> Anyone planning to do this might want to be aware that the validation
> process of flowspec does not limit actions.
>
> In practice this means, if you do run flowspec to your customers, your
> customers likely can inject traffic to arbitrary VRFs.

You can match flow actions by extended communities and not accept
actions you do not like. For example, to permit only "discard" action
you can match 

    community flow_discard members traffic-rate:*:0;

Or am I missing something ? 

> I feel RFC should have explicitly stated valid actions for validation
> process, which operator MAY change, and any other action MUST cause
> validation process to fail.
> 
> 
> -- 
>   ++ytti

-- 
In theory, there is no difference between theory and practice. 
But, in practice, there is. 

• Previous message (by thread): nLayer IP transit
• Next message (by thread): nLayer IP transit
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]