UUNet Offer New Protection Against DDoS
Patrick W.Gilmore
patrick at ianai.net
Wed Mar 3 22:40:29 UTC 2004
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
>>> I'm puzzled by one aspect on the implementation.. how to build your
>>> customer
>>> prefix filters.. that is, we have prefix-lists for prefix and length.
>>> Therefore at present we can only accept a tagged route for a whole
>>> block..
>>> not good if the announcement is a /16 etc !
>>
>> MCI handles this by only filtering on prefix, not length. Well,
>> allowing you to only announce up to your length, not shorter, but
>> longer is allowed.
>
> Hmm not keen, have moved acl->prefix w/len to stop folks from doing
> this, in
> addition we have an extra filter which overrides anything that would
> deny
> anything longer than a /24. I'm not keen to change that.. LART appears
> to have
> little or no effect with my customers, preemption appears to be the
> only way!
What's wrong with letting customers announce /32s into your network, as
long as you do not pass it to anyone else (including other customers)?
Here is what I did (when I had a network =) :
* Prefix filter customers in, allowing more specifics
* Filter > /24s & Bogons out to customers
* Bogon & /24 filter peers in
* Bogon, /24, and cust-only community filter peers out
Theoretically, the Bogon out filters are irrelevant, since your table
should be clean from the inbound filters, but I like "belt and
suspenders". (Plus one day I leaked a slew of 10-net from a NOC test
LAN and hit one of the Merit instability mailing lists. Burned once,
twice shy. :)
--
TTFN,
patrick
More information about the NANOG
mailing list