nanog mailing list archives

Re: someone RBL'd a reserveD-8 number from IANA

From: Simon Leinen <simon () limmat switch ch>
Date: 20 Jul 2000 23:55:47 +0200

"pv" == Paul Vixie <vixie () mibh net> writes:

I've also thought that if routers could filter based on lookup up
source addresses in a BGP-made RIB, rather than just destination
addresses, that the whole filtering-by-remote-control industry would
appreciate the hell out of it.  I'm pretty sure that both the 12016
and M160 have the hardware it would take to do this at wire speed,
but I'm also pretty sure that the market for this feature is
perceived by both vendors as "small."


Cisco's "QoS Policy Propagation via BGP" could almost be used to
implement this.  The feature is described in
http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/bgpprop.htm

You can map packets to a service policy according by source(!) or
destination address, using an index (the "qos-group") that is stored
in the FIB by a route-map action in BGP.

The only problem is to define a service policy that drops such packets
unconditionally.  I haven't found a solution for that, but if there's
enough demand, Cisco could easily come up with such a service policy I
guess.  Otherwise I think the following configuration should do it,
given a sufficiently recent IOS:

    class-map illegal-source-addresses
     match qos-group 78
    !
    policy-map drop-illegal-source-addresses
     class illegal-source-addresses
    !!! note: the following doesn't work because the bandwidth has to be
    !!!       at least 8 (kbps).  Maybe Cisco could be talked into
    !!!       implementing a "drop" command that could be used instead.
      bandwidth 0 
    !
    interface POS2/1/0
     description Evil Outside World
     bgp-policy source ip-qos-map
    !
    router bgp 1234
     table-map mark-illegal-source-addresses
     neighbor 5.6.7.8 description Vixie's BGP Feed Of Illegal Prefixes
     neighbor 5.6.7.8 remote-as 5678
    !
    ip as-patch access-list 56 permit ^5678_
    !
    route-map mark-illegal-source-addresses
     match as-path 56
      set ip qos-group 78
-- 
Simon.

Current thread:

someone RBL'd a reserveD-8 number from IANA Henry R. Linneweh (Jul 20)
- Re: someone RBL'd a reserveD-8 number from IANA jlewis (Jul 20)
  - Re: someone RBL'd a reserveD-8 number from IANA Paul Vixie (Jul 20)
    - Re: someone RBL'd a reserveD-8 number from IANA Simon Leinen (Jul 20)
- Re: someone RBL'd a reserveD-8 number from IANA Mark Milhollan (Jul 20)
- Re: someone RBL'd a reserveD-8 number from IANA Valdis . Kletnieks (Jul 20)
  - Re: someone RBL'd a reserveD-8 number from IANA Joe Shaw (Jul 20)
- <Possible follow-ups>
- Re: someone RBL'd a reserveD-8 number from IANA Richard A. Steenbergen (Jul 20)
- Re: someone RBL'd a reserveD-8 number from IANA Richard A. Steenbergen (Jul 20)