I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks le /32. The following
terms (term 2 and above) in the route-map which do NOT look for the
customer discard community, have a different standard/generic
prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le
24.
By doing this, I only accept a customer /32 from his dedicated
prefix-list when it has the DOS discard community, otherwise I catch
them with the ge 8 le 24 in the following terms.
Jason Lumenello
IP Engineering
XO Communications
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
Of
Stephen J. Wilcox
Sent: Wednesday, March 03, 2004 3:48 PM
To: james
Cc: nanog@merit.edu
Subject: Re: UUNet Offer New Protection Against DDoSI'm puzzled by one aspect on the implementation.. how to build your
customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore
at present we can only accept a tagged route for a whole block.. not
good
if the
announcement is a /16 etc !Now, I could do as per the website at secsup.org which means we have a
route-map
entry to match the community before the filtering .. but that would
allow