Re: SYN flood messages flooding my mailbox
*** Resending note of 09/23/96 18:38 Subject: Re: SYN flood messages flooding my mailbox
Not. Every entry in the filter contains the following data:
[Prefix] [Prefix Length] [Bitmask]
where bitmask has a bit per every interfaces, so the bit if set if packet matching the prefix is allowed from that interface.
How do you handle the case of an inter-exchange point, with multiple BGP neighbors per interface? The MAE-East NAP is the worst case (and not everyone at a NAP is a "transit AS"). If you tried to handle the case of an IXP, wouldn't you have to filter based on both interface and MAC address?
Since in practically all cases all prefixes (NOT routes!) found in all RIBs are also found in FIB (exceptions are proxy aggregation and/or restricted end-to-end reacheability) the size of the list is the same as size of FIB.
What do you do with a prefix announced through two providers, where the prefix is taken from one provider's supernet? Wouldn't you need to check the RIB entries of all matching prefixes (including default)? -- Richard Woundy, IBM
*** Resending note of 09/23/96 18:38 Subject: Re: SYN flood messages flooding my mailbox
Not. Every entry in the filter contains the following data:
[Prefix] [Prefix Length] [Bitmask]
where bitmask has a bit per every interfaces, so the bit if set if packet matching the prefix is allowed from that interface.
How do you handle the case of an inter-exchange point, with multiple BGP neighbors per interface? The MAE-East NAP is the worst case (and not everyone at a NAP is a "transit AS").
If you tried to handle the case of an IXP, wouldn't you have to filter based on both interface and MAC address?
-- Richard Woundy, IBM
I'm starting to think that MAC-address-filtering ability would be a VERY useful addition for this sort of thing, esp. if it could be written as: access 200 deny ip any host 198.7.0.2 src-mac 0000.1111.2222 access 200 permit ip any any I think this isn't very possible given the IOS architecture; hopefully I'm wrong. Avi
participants (2)
-
Avi Freedman
-
rwoundy@VNET.IBM.COM