On Wed, 30 Mar 2005, vijay gill wrote:
Christopher L. Morrow wrote:
provided your gear supports it an acl (this is one reason layered acls would be nice on routers) per peer with: permit /30 eq 179 /30 permit /30 /30 eq 179 deny all-network-gear-ip-space (some folks call it backbone ip space, Paul Quinn at cisco says: "Infrastructure ip space")
no more traffic to the peer except BGP from the peer /30. No more ping, no more traceroute of interface... (downsides perhaps?) and the 'customer' can still DoS himself :( (or his compromised machine can DoS him)
or forge the source ip on the neighbors /30 or /31 (why aren't you using /31s anyway) and call it done.
curse you and your new-fangled /31's! :) Yes, someone inside the customer could dos the customer... if the customer cared, they could acl their side as well though since they aren't doing egress filtering I'm betting they aren't going to do this either ;( -Chris