Oh, and I strip their communities, and apply no-export, on the first
term of my route map so the /32 does not get out. Of course my peer
facing policy requires specific communities to get out as well (belt and
suspenders).
This method works very well, and you do not have to give up length
restrictions or maintain two sets of customer prefix/access lists.
Jason
From: Lumenello, Jason
Sent: Wednesday, March 03, 2004 4:52 PM
To: 'Stephen J. Wilcox'; james
Cc: nanog@merit.edu
Subject: RE: UUNet Offer New Protection Against DDoSI struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the
first
term looks for the community. The customer also has a prefix-list on
their
neighbor statement allowing their blocks le /32. The following terms
(term
2 and above) in the route-map which do NOT look for the customer
discard
community, have a different standard/generic prefix-list evaluation
which
blocks cruft and permits 0.0.0.0/0 ge 8 le 24.
By doing this, I only accept a customer /32 from his dedicated
prefix-list
when it has the DOS discard community, otherwise I catch them with the
ge
8 le 24 in the following terms.
Jason Lumenello
IP Engineering
XO Communications> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
Of
> Stephen J. Wilcox
> Sent: Wednesday, March 03, 2004 3:48 PM
> To: james
> Cc: nanog@merit.edu
> Subject: Re: UUNet Offer New Protection Against DDoS
>
>
>
> I'm puzzled by one aspect on the implementation.. how to build your
> customer
> prefix filters.. that is, we have prefix-lists for prefix and
length.
> Therefore
> at present we can only accept a tagged route for a whole block.. not
good
> if the
> announcement is a /16 etc !
>
> Now, I could do as per the website at secsup.org which means we have
a
> route-map
> entry to match the community before the filtering .. but that would
allow
> the
> customer to null route any ip.
>
> What we need is one to allow them to announce any route including
more