On Fri, Feb 29, 2008 at 06:46:15AM -0800, David Ulevitch wrote:
The point is -- Restrictive customer filtering can also bite you in the butt. Trying to require your providers to do a "ge 19 le 25" (or whatever your largest supernet is), rather than filters for specific prefix sizes seems a worthwhile endeavor so you can de-aggregate on the fly, as necessary.
If you support community-based blackholes, your customers want/need to be able to advertise up to /32. At a previous job we defined customer prefix-filters as "prefix/mask upto 32" and then applied a reasonable max-prefix setting[1]. This allowed customers to send us a reasonable number of deaggregates for blackholing or TE purposes but protected us from a full-on leak/deaggregation event. Needless to say, each prefix with a mask longer then /24 was tagged with no-export as well, so those longer prefixes weren't propagated beyond our network. [1] We had a limited number of customer buckets... IIRC something like 2500, 5000, 15000, and 25000. That keeps the number of different configurations to a minimum number but still gives adequate protection. --Jeff