Home page logo

nanog logo nanog mailing list archives

Re: weird BGP cisco-ism? [problem resolved]
From: Charles Sprickman <spork () inch com>
Date: Sat, 12 Jul 1997 00:17:56 -0400 (EDT)

Not to totally go off the subject, but if you have a ruleset like this
implemented for all of your customers, what type of extra load does the
route filtering impose on a router?  We're a rather small ISP, and we
don't use BGP at all, I'm just curious what type of impact this has.



On Fri, 11 Jul 1997, Robert Gutierrez wrote:
your other BGP peers?  Inbound, I mean.  Very simple:

   router bgp 1
   neighbor remote-as 2
   neighbor filter-list 99 in

   as-path access-list 99 deny ^$
   as-path access-list 99 deny ^1_
   [etc -- however you want to set it up]

Isn't this akin to wearing a condom nowadays in the 'net BGP routing

Before I left my last job, I was on my way to installing anal as-path
lists for our own customers who did BGP to prevent the above and also
prevent another Florida fiasco.  The idea was that we would only accept
explicit addresses from those BGP peers.  All that was need was to add a
list for each peer:

   neighbor distribute-list 10 in
   access-list 10 permit

or even worse, enforce CIDR/prevent subnets by only accpeting the
block advertisement:

   distribute-list 101 permit

Just good practice to me :)  Hopefully everybody else is doing the

      Rob Gutierrez / 3Com - GIS Internet Security

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]