route filtering in large networks
Richard A Steenbergen
ras at e-gerbil.net
Thu Mar 13 03:47:21 UTC 2003
On Wed, Mar 12, 2003 at 10:22:53PM -0500, Andy Dills wrote:
>
> Randy, you've run a huge network. I have not had that opportunity, and I
> don't have "banana eaters" working for me (and I'm not sure what that
> phrase means exactly, but I'll assume it isn't racial).
I believe he is referring to the class of people who do stuff without
understand why that we sometimes call monkeys... Leave it to Randy to
defend and offend in the same e-mail, but fortunately I don't think anyone
is going to complain about species-ism. :)
> I must not understand something. How would the banana eaters screw up
> applying the same prefix-list outbound to all neighbors? Seems like an
> easy protocol to follow. I could understand the problems with applying
> inbound filters (unique huge filter for each neighbor), but if you're
> willing to localize bogon routes to the border router, without
> redistributing them, you get the job done. So filter announcements to
> every neighbor.
Simple, apply a bogon list and then fail to update it. If you are not
ready willing and able to keep your lists updated, you probably shouldn't
have applied them in the first place. I routinely see people doing absurd
things like applying ipfw bogon filters on individual servers to "protect
against DoS" that end up costing them way more in performance than they
could possibly gain from filtering the bogons. Let's keep it real folks,
these filters aren't needed everywhere.
Personally I don't think it's "too" hard to setup some scripts scripts
which can apply updated bogon and other important prefix-list updates
globally. Rancid and about 15 lines of shell script should do you just
fine. If you're lucky enough to have Juniper's, you can use the same
prefix-list to filter both routes and packets.
That said, I'm sure we would all LOVE a protocol which can dynamically
supply routes for various route and packet filter operations throughout a
large network.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list