We do prefix-filter all our peers, both customer and transit. We also use as-path filters. It does seem to help us avoid insertion of invalid routes and other issues (especially since some people we peer with don't do the same on their side). As far as stability and process problems, we're too busy working on the instability of the Ciscos we're on now to notice, particularly the problem with BGP scanner taking up all the CPU every 60 seconds. We're preparing to move from an ATM core on Alcatel ATM switches with a Cisco edge to an IP-MPLS core on Juniper M-20s with M-20s (and a few Ciscos in smaller cities) on the edge. Hopefully that will improve our stability. We're pretty excited about the Junipers (the network geeks like me here are drooling). Diane Turley Network Engineer Xspedius Communications Co. 636-625-7178 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick W.Gilmore Sent: Wednesday, April 21, 2004 10:12 AM To: nanog@merit.edu Cc: Patrick W.Gilmore Subject: Re: Winstar says there is no TCP/BGP vulnerability On Apr 21, 2004, at 10:38 AM, Jared Mauch wrote:
On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote:
Yes, it generates more work to update the database, but OTOH it provides the LIII engineer with a lot more to troubleshoot issues. Is it simply not worth the work at your scale?
Exactly.
And you do not have to be at 701's scale for this to not work.
We've not had these issues and have been using bgp passwords/md5 for years. We do have a fancy configuration managment system in place, whereby people put things into the database
first before they configure the router.
Sorry, in this particular post, we were (or at least I was) talking about having prefix filters for all your peers. I know I've talked a lot about MD5 lately, just thought it would be a nice change of subject. :) If you do prefix filter all your peers, that is impressive. Do you get out of sync a lot? Does it help keep the network more stable? Or do process problems make it worse than just max-prefixes on a peer? -- TTFN, patrick