Request comment: list of IPs to block outbound

• Previous message (by thread): Request comment: list of IPs to block outbound
• Next message (by thread): Request comment: list of IPs to block outbound
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 18 Oct 2019 at 20:15, Lukas Tribus <lists at ltri.eu> wrote:

> This has the potential to brake things, because it requires symmetry
> and perfect IRR accuracy. Just because the prefix would be rejected by
> BGP does not mean there is not a legitimate announcement for it in the
> DFZ (which is the exact difference between uRPF loose mode and the ACL
> approach).

It's interesting to also think, when is good time to break things.

CustomerA buys transit from ProviderB and ProviderA

CustomerA gets new prefix, but does not appropriately register it.

ProviderB doesn't filter anything, so it works. ProviderA does filter
and does not accept this new prefix. Neither Provider has ACL.


Some time passes, and ProviderB connection goes down, the new prefix,
which is now old prefix experiences total outage. CustomerA is not
happy.


Would it have been better, if ProviderA would have ACLd the traffic
from CustomerA? Forcing the problem to be evident when the prefix is
young and not in production. Or was it better that it broke later on?


-- 
  ++ytti

• Previous message (by thread): Request comment: list of IPs to block outbound
• Next message (by thread): Request comment: list of IPs to block outbound
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]