Hank,
Enduser filtering (CERN) is in principle completely different from what we
(might if not possible else) do:
I am not supposed to filter anything between meetpoints and customers,
because I agree to some people who pay for it to provide Internet access.
I would filter nothing at all (curretnly do filter nothing), which does
not mean that my suport hosts and networks are open.
Filtering comes alo into place when customers want only access between
certain networks,
but in general
NSPs/ISPs are not supposed to filter at all.
Routing is different. We filter routing updates (not access filters) to
accelerate BGP convergence. We filter what we announce to the outside
world (of course not all the trash we get in).
I don't filter outgoing routing updates to speed BGP convergence. I do it
so as not to pollute the Internet with leaked bad nets. It has happened
to me and has happened to everyone. Just look at the recent nets that
Australia was leaking. If the routing access lists were automatically
created every day based on the data in the routing DB, then this would
not happen. Of course, no one can force you but your service provider
can filter what he/she hears from you based on the same rules. Then you
have a double secure routing scheme.
Mike
Michael F. Nittmann
nittmann@wis.com
Hank Nussbacher
Don't know what other folk are seeing, or if y'all even look. But a
significant number of leaf customer sites 'round these parts seem to be
pseudo-random route generators. I watched a small POP, less than 100
customers, for about six weeks. I would never had guessed that DEC, IBM,
MIT, and dozens of surprising Bs and Cs were in rural Southern Oregon.
I'm sure that the POP's peer ASs would have been very impressed if we had
redistributed those routes to external BGP sessions.
And we occasionally get some exciting announcements from overseas links.
To move along an other tangent... What is the general wisdom on putting
pull-ups on route annoucements to deter route flap? Vadim kindly gave me
a static Null 250 hack to keep announcement up even if the source of the
route drops it. Hence, you won't get the !H until you get to our border.
Los pobre packitos will travel all the way and then get whacked. Seems
to subvert one interpretation one could read into the intent of BGP.
randy
Route holdowns:
los pobres paquetos: that's just the beauty and purpose of routing
protocols to propagate the info so that los pobres paquetos don't clog
the pipe with the goal of being dropped.
To hold routes eternally down is not good: what if the customer
disconnects that network? I don't want to be notified by all leaf
networks when they will hickup or disconnect for good.
Mike
Randy Bush wrote:
To move along an other tangent... What is the general wisdom on putting
pull-ups on route annoucements to deter route flap?
I don't know about the general wisdom, but Internet Africa (not a North
American operator) uses pull-ups for all routes that belong to
single-homed customers. We figure that there's no reason for BGP speakers
around the world to hear the flap when one of our single-homed customers
drops a route.
Hence, you won't get the !H until you get to our border.
Los pobre packitos will travel all the way and then get whacked. Seems
to subvert one interpretation one could read into the intent of BGP.
I don't have stats, but I don't worry about the added load. TCP backs off
pretty quickly when it figures out that the packets aren't getting
through. Poorly-behaved UDP applications are another story, of course,
but we hope there's not too much of that.
--apb (Alan Barrett)