RE: 69/8...this sucks

[Owen DeLong <owen () delong com>]

I'm trying to get some time to actually put it in a router and test, but
I believe there is a way to get similar functionality through a combination
of route-map entries.  When I have actual router config (I'll be testing on
Cisco, but if anyone want's to provide me a Juniper testbed, I'll be happy
to try that too), I'll post it.  If I can't, I'll post a public apology
and start beating on vendors to make it possible. :-)

Owen


--On Wednesday, March 12, 2003 11:41 PM +1100 David Luyer <david () luyer net> 
wrote:

> Stephen J Wilcox wrote:
> > On Wed, 12 Mar 2003, David Luyer wrote:
> > > Iljitsch van Beijnum wrote:
> > > > On Tue, 11 Mar 2003, Owen DeLong wrote:
> > > >
> > > > > In short, it doesn't.  Longer answer, if the ISP configures
> > > > > his router correctly, he can actually refuse to accept
> > > > > advertisements from other sessions that are longer versions
> > > > > of prefixes received through this session.
> > > >
> > > > How???
> > >
> > > There is a technically possible (but rather twisted) way you
> > > could not use the adverts, but not a way to refuse receiving
> > > them that I know of.
> >
> > I think youre mixing up with ingress filtering by prefix list
> > which you can
> > specify prefix length on and hence ignore longer (or smaller) matches.
>
> The example I provided achieved both ingress and egress filtering
> based on routes in a bogon BGP feed, in a way which would even
> block when a more-specific route is in the provider's BGP table.
> While it didn't actually prevent the routes being in the routing
> table (as I said, it doesn't provide a way to stop receiving them),
> it does prevent traffic from and to the bogon locations, which is
> a significant part of the reason to use bogon lists.
>
> However, yes, it has some deficiencies[1] compared with using the
> static bogon lists for route filtering (and ingress/egress); it
> does not prevent routing table bloat, and it does not prevent
> traffic travelling across your WAN to the point of network egress
> only to be dropped.
>
> If you want to actually not receive into your network at all the
> BGP routes which match bogons, as I stated earlier, there is no
> way I know of to do this via a BGP feed.  The only way to do it
> that I know of would be to use either a prefix list or a standard
> ACL (you can do anything you can do with a prefix list with a
> compiled extended ACL on BGP routes, it's just less clear to
> read as an extended ACL).
>
> Although, Owen DeLong has stated that it is possible, so maybe
> we should wait for his response :-)
>
> David.
>
> [1] Apart from simply being a completely twisted design.