On 4/02/2009, at 2:43 PM, Steve Bertrand wrote:
Nathan Ward wrote:
On 4/02/2009, at 2:33 PM, Steve Bertrand wrote:
- Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6.
Don't advertise v4 prefixes in v6 sessions, keep them separate.
This entire discussion went off topic, in regards to bcp and filtering. Off-list, I had someone point out: http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 ...which is EXACTLY in line with what my end goal was originally, and by reading it, I feel as if I was getting there free-hand. This document helps standardize things a bit, and I will follow it to a certain degree, whether or not it is considered under the standards track, or IANA considers approving the request for the BGP Extended Communities Attribute. What really spooks me after the last week of research, is how easy it would be for a client under my control (or hosts under control of an attacker) to stage/originate an inconspicuous attack (to anywhere), using standard IDS insertion/evasion tactics (even via a tunnel) from hosts within a network bordering my AS. Just by manually viewing logs of ingress traffic, there are just too many holes. We're too small to mitigate a bandwidth-saturating attack inbound, but I can guarantee that I will ensure to the best of my ability that our network won't be part of any form of attack on yours. Thank you everyone, for all of the off, and on-list feedback. Steve