peer "sanity" filters - best practices?
Christian Nielsen
cnielsen at nielsen.net
Thu Jan 25 01:36:18 UTC 2001
well... everyone has different ways of doing it. basicly we do the
following.
for the larger peers, ie cw, uunet, bbn, sprint, we filter them via
as-path
ie
for uunet, we would filter _1239_ _1_ and _3561_
we set this up after a large internet router company leaked full routes to
^1239_.
for all other peers we filter _701_ _1239_ _1_ and _3561_.
next, we max-prefix all peers. this stops route-leaks. yes, sometimes a
peer gets shutdown because they just got a large new customer but i would
put this at about 1 in 100. the other times are because of poor filtering.
we filter RFC1918, default and reserved blocks. anyone notice that there
are companies using ips from IANA-Reserved? of course we dont see them
anymore. we also filter out things like 64/8. this is due to mis-config on
the isp side. no one should be sending 64/8.
lastly, we filter at the /24 level.
this should be a good start for anyone looking to do filtering.
Christian
More information about the NANOG
mailing list