...

...

...

...

"pv" == Paul Vixie <vixie@mibh.net> writes: I've also thought that if routers could filter based on lookup up source addresses in a BGP-made RIB, rather than just destination addresses, that the whole filtering-by-remote-control industry would appreciate the hell out of it. I'm pretty sure that both the 12016 and M160 have the hardware it would take to do this at wire speed, but I'm also pretty sure that the market for this feature is perceived by both vendors as "small."

Cisco's "QoS Policy Propagation via BGP" could almost be used to implement this. The feature is described in http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/bgppro... You can map packets to a service policy according by source(!) or destination address, using an index (the "qos-group") that is stored in the FIB by a route-map action in BGP. The only problem is to define a service policy that drops such packets unconditionally. I haven't found a solution for that, but if there's enough demand, Cisco could easily come up with such a service policy I guess. Otherwise I think the following configuration should do it, given a sufficiently recent IOS: class-map illegal-source-addresses match qos-group 78 ! policy-map drop-illegal-source-addresses class illegal-source-addresses !!! note: the following doesn't work because the bandwidth has to be !!! at least 8 (kbps). Maybe Cisco could be talked into !!! implementing a "drop" command that could be used instead. bandwidth 0 ! interface POS2/1/0 description Evil Outside World bgp-policy source ip-qos-map ! router bgp 1234 table-map mark-illegal-source-addresses neighbor 5.6.7.8 description Vixie's BGP Feed Of Illegal Prefixes neighbor 5.6.7.8 remote-as 5678 ! ip as-patch access-list 56 permit ^5678_ ! route-map mark-illegal-source-addresses match as-path 56 set ip qos-group 78 -- Simon.