Trusted Networks Initiative: DDoS fallback set of AS'es

• Previous message (by thread): Trusted Networks Initiative: DDoS fallback set of AS'es
• Next message (by thread): Trusted Networks Initiative: DDoS fallback set of AS'es
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 16, 2015 at 4:42 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 4/16/15 1:30 PM, Valdis.Kletnieks at vt.edu wrote:
>> On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
>>
>>> If you don't want packets from 1312 don't announce to them?
>>
>> I'm probably at least 4-5 AS's away, and you're probably routed to us
>> through Cogent or similar large transit.  Feel free to not announce your
>> routes to Cogent because you don't want packets from my AS...
>>
>> (For whatever value of "Cogent" you have for your upstream)
>
> bearing in mind that transit providers rarely give you communities to
> influence their customers, just peers. There is an illusion of control
> that provider no export communities provide that always requires
> confirmation when applied. if 1312 buys the full internet cone they can
> also install a default. so they can send you packets even if they in
> fact do not have your route.

lesson learned don't use an example...
Note I also said:
 " (or othersimilar options)."

(ha! here's more examples!)
  o poison the route with remote asn' in the aspath! (except for
default followers)
  o ask for packet filter from upstream isp
  o stop announcing your route
  o filter on your side of the fence.

in any case the idea still seems silly.

• Previous message (by thread): Trusted Networks Initiative: DDoS fallback set of AS'es
• Next message (by thread): Trusted Networks Initiative: DDoS fallback set of AS'es
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]