Yep, that is a good strategy... No announcement without the right communities sure makes it much harder to leak. We redistribute lots of static routed stuff into BGP, but only announce globally using network statements with route map applying the right communities. So far, we have never leaked internal routes to customers, peers or transit that we are aware of. John :) -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Provo Sent: Sunday, January 28, 2007 1:12 PM To: NANOG Subject: Re: Route Reflector architecture and how to get small customer blocks in to BGP? On Sun, Jan 28, 2007 at 10:59:50AM -0700, Danny McPherson wrote: [snip]
o If you're going to use redistribution - or not - ensure that all external advertisement policies require explicit match of advertise communities and default is to deny
This should be just good security policy. I think of it as a network-level instance of "that which is not expressly permitted is denied" which everyone applies for services on their hosts, right :-) Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE