On 17/05/2008, at 5:53 PM, Matthew Moyle-Croft wrote:
Nathan Ward wrote:
If the foreign AS really wants to send you routes that way, they can do it regardless of how you stop your advertisements being accepted by/ reaching them. We're hardly talking high security here.
ip route <prefix> <netmask> 1.1.1.1 works a treat.
I'm not quite sure of your point Nathan. That'd stop connectivity which isn't usually the point - especially if the issue is point (2) below.
If a foreign AS wants to work around things put in place by you/others so they don't get your prefixes (be it ASPATH poisoning, route filtering by the MLPA route-server operator, etc.) they can do so easily by putting a static route in to their equipment. My point is that none of these techniques are bulletproof. I think I meant to say "packets" where I said "routes" where you quoted me above, also, that ip route blah was something that the foreign AS would stuff in to their router. I hope that's a bit more clear.
MLPAs are disliked for two main reasons that I've been able to discern.
I'm not debating for/against MLPAs, that doesn't really go anywhere productive. I'm giving info that some people might find useful if they've got a network condition they need to work around with a dirty hack. -- Nathan Ward