Not to totally go off the subject, but if you have a ruleset like this implemented for all of your customers, what type of extra load does the route filtering impose on a router? We're a rather small ISP, and we don't use BGP at all, I'm just curious what type of impact this has. Thanks, Charles On Fri, 11 Jul 1997, Robert Gutierrez wrote:
your other BGP peers? Inbound, I mean. Very simple:
router bgp 1 neighbor 10.1.1.1 remote-as 2 neighbor 10.1.1.1 filter-list 99 in
as-path access-list 99 deny ^$ as-path access-list 99 deny ^1_ [etc -- however you want to set it up]
Isn't this akin to wearing a condom nowadays in the 'net BGP routing warz.
Before I left my last job, I was on my way to installing anal as-path access lists for our own customers who did BGP to prevent the above and also prevent another Florida fiasco. The idea was that we would only accept explicit addresses from those BGP peers. All that was need was to add a list for each peer:
neighbor 10.1.1.1 distribute-list 10 in access-list 10 permit 172.16.0.0
or even worse, enforce CIDR/prevent subnets by only accpeting the specific block advertisement:
distribute-list 101 permit 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Just good practice to me :) Hopefully everybody else is doing the same???
Rob Gutierrez / 3Com - GIS Internet Security