Home page logo
/

nanog logo nanog mailing list archives

Re: weird BGP cisco-ism? [problem resolved]
From: Charles Sprickman <spork () inch com>
Date: Sat, 12 Jul 1997 00:17:56 -0400 (EDT)

Not to totally go off the subject, but if you have a ruleset like this
implemented for all of your customers, what type of extra load does the
route filtering impose on a router?  We're a rather small ISP, and we
don't use BGP at all, I'm just curious what type of impact this has.

Thanks,

Charles

On Fri, 11 Jul 1997, Robert Gutierrez wrote:
your other BGP peers?  Inbound, I mean.  Very simple:

   router bgp 1
   neighbor 10.1.1.1 remote-as 2
   neighbor 10.1.1.1 filter-list 99 in

   as-path access-list 99 deny ^$
   as-path access-list 99 deny ^1_
   [etc -- however you want to set it up]

Isn't this akin to wearing a condom nowadays in the 'net BGP routing
warz.

Before I left my last job, I was on my way to installing anal as-path
access
lists for our own customers who did BGP to prevent the above and also
prevent another Florida fiasco.  The idea was that we would only accept
explicit addresses from those BGP peers.  All that was need was to add a
list for each peer:

   neighbor 10.1.1.1 distribute-list 10 in
   access-list 10 permit 172.16.0.0

or even worse, enforce CIDR/prevent subnets by only accpeting the
specific
block advertisement:

   distribute-list 101 permit 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0

Just good practice to me :)  Hopefully everybody else is doing the
same???


      Rob Gutierrez / 3Com - GIS Internet Security




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault