Home page logo
/

nanog logo nanog mailing list archives

Re: Strict route filtering at IX?
From: Andy Davidson <andy () nosignal org>
Date: Mon, 17 Dec 2012 11:42:17 +0000

Hi, Dan --

On 12/12/2012 11:22, "Dan Luedtke" <mail () danrl de> wrote:

So, here's the question: How do you filter at exchanges?
Where is the error in my workflow?
Is strict route filtering a myth?

You can see if the route-servers at the IX already filter.  For example,
this is the case at LONAP, where strict filters against RADB are built.

Networks with open policy and large numbers of peers will naturally find
it hard to filter peer *prefixes* on session config, because as you have
found the config quickly becomes large and unwieldy.  As Arnold has said,
filtering with max-prefix and AS-path is more common on bilateral sessions.

My advice would be to encourage your IX operator to filter on the
route-servers, and rely on MLP derived adjacency for networks that you
want to peer with, but don't trust enough not to prefix-filter.

Andy




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault