UUNet Offer New Protection Against DDoS

• Previous message (by thread): UUNet Offer New Protection Against DDoS
• Next message (by thread): UUNet Offer New Protection Against DDoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:

>>> I'm puzzled by one aspect on the implementation.. how to build your 
>>> customer
>>> prefix filters.. that is, we have prefix-lists for prefix and length.
>>> Therefore at present we can only accept a tagged route for a whole 
>>> block..
>>> not good if the announcement is a /16 etc !
>>
>> MCI handles this by only filtering on prefix, not length.  Well,
>> allowing you to only announce up to your length, not shorter, but
>> longer is allowed.
>
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing 
> this, in
> addition we have an extra filter which overrides anything that would 
> deny
> anything longer than a /24. I'm not keen to change that.. LART appears 
> to have
> little or no effect with my customers, preemption appears to be the 
> only way!

What's wrong with letting customers announce /32s into your network, as 
long as you do not pass it to anyone else (including other customers)?

Here is what I did (when I had a network =) :
   * Prefix filter customers in, allowing more specifics
   * Filter > /24s & Bogons out to customers
   * Bogon & /24 filter peers in
   * Bogon, /24, and cust-only community filter peers out

Theoretically, the Bogon out filters are irrelevant, since your table 
should be clean from the inbound filters, but I like "belt and 
suspenders".  (Plus one day I leaked a slew of 10-net from a NOC test 
LAN and hit one of the Merit instability mailing lists.  Burned once, 
twice shy. :)

-- 
TTFN,
patrick

• Previous message (by thread): UUNet Offer New Protection Against DDoS
• Next message (by thread): UUNet Offer New Protection Against DDoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]