Home page logo
/

nanog logo nanog mailing list archives

Re: Non-ISP companies multi-homing?
From: "Alec H. Peterson" <ahp () hilander com>
Date: Fri, 25 Jul 1997 09:07:32 -0400

On Fri, Jul 25, 1997 at 09:01:13AM -0400, Gordon Mercer wrote:

Don't think he did, Alec. Using communities would make it  
much easier to filter the routes to the customer than  
using confederation. I don't think there's any need to  
implement confedrations here. Sounds like headaches I  
don't need. Communities would allow you to filter very  
specifically only routes coming from the router.

Well, comparing a 'real AS to a separate community' doesn't really
sound right to me.  Replacing community with confederation would make
more sense, although I do see your point.  However I believe JD's
point is that it isn't _necessary_ to get a separate ASN if you've got
a small downstream who doesn't care about having his AS visible to the
outside world.


The real problem here is that the ISP with the EBGP  
session still depends on the ISP with the IBGP session to  
do things correctly, unless customer routes are filtered  
at a network level -- Something I've never liked doing,  
but always felt was necessary.

Unfortunately it is, as the AS7007 disaster illustrated all too
clearly.


How can I have a setup that is flexible enough to satisfy  
my customer (and my workload) but safe for me? 

MCI has a route registry that you send updates to just like the RADB
(the RADB and MCI RR actually exchange data).  I believe MCI then
builds network-based access lists based on that database.

I've had customers running OSPF with one of my routers that was
redistributing OSPF into BGP, and it was probably one of the
stupidest mistakes I've ever made.  

NONONONONO!  Speaking IGP with customers bad!

Screwed me when some dumbass decided he could use whatever networks
he wanted on the Sun they were running gated on.

Yep, there's the problem.  BGP was designed to be an inter-domain
routing protocol, and should be used as such.  Unfortunately we need
some sort of network-level control over what a customer sends
upstream.  Implementing some sort of automated scheme (like the MCI RR
for example) is IMO the only scalable way of doing so.

Alec

-- 
+------------------------------------+--------------------------------------+
|Alec Peterson - ahp () hilander com    | Erols Internet Services, INC.        |
|Network Engineer                    | Springfield, VA.                     |
+------------------------------------+--------------------------------------+


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault