On Tue, 23 Sep 1997, Todd R. Stroup wrote:
Maybe I am missing something, but we use an inbound access list on all external links that eliminates IP address spoofing, as well as some basic security issues (blocking NFS, r* commands, etc just in case some machine inside is misconfigured). If you have an inbound access list that filters based on the source address already, why would you not add the private addresses to that?
This is sort of a different issue.. you are filtering IP not routes. If you peer with someone that is sending you 10/8 even though you have it filtered on the inbound of your interface (which is good for CPU) you will still have a route injected into your route tables which could be bad. Why not destroy the bad routes before they get to your routing table?
I guess I was referring to those comments in this thread suggesting that instead of using inbound access filters, which cause CPU performance issues, instead routes should be generated to null0 (which from my understanding it is still process switched). Perhaps my choice of message to quote was poor, but my point is that it seems like you need an ACL on every incoming link regardless, and you need a filter list on every BGP peer regardless, so why not put checks in both? I wouldn't think that, given that you need an access list, adding a few more entries is going to significantly impact performance. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801