nanog mailing list archives
Re: peer "sanity" filters - best practices?
From: Christian Nielsen <cnielsen () nielsen net>
Date: Wed, 24 Jan 2001 17:36:18 -0800 (PST)
well... everyone has different ways of doing it. basicly we do the following. for the larger peers, ie cw, uunet, bbn, sprint, we filter them via as-path ie for uunet, we would filter _1239_ _1_ and _3561_ we set this up after a large internet router company leaked full routes to ^1239_. for all other peers we filter _701_ _1239_ _1_ and _3561_. next, we max-prefix all peers. this stops route-leaks. yes, sometimes a peer gets shutdown because they just got a large new customer but i would put this at about 1 in 100. the other times are because of poor filtering. we filter RFC1918, default and reserved blocks. anyone notice that there are companies using ips from IANA-Reserved? of course we dont see them anymore. we also filter out things like 64/8. this is due to mis-config on the isp side. no one should be sending 64/8. lastly, we filter at the /24 level. this should be a good start for anyone looking to do filtering. Christian
Current thread:
- peer "sanity" filters - best practices? David P. Maynard (Feb 24)
- Re: peer "sanity" filters - best practices? Christian Nielsen (Feb 24)
- Re: peer "sanity" filters - best practices? Vincent Gillet (Feb 24)
- <Possible follow-ups>
- Re: peer "sanity" filters - best practices? Sean Donelan (Feb 24)
- Re: peer "sanity" filters - best practices? Christian Nielsen (Feb 24)