nanog mailing list archives

RE: Route Reflector architecture and how to get small customer blocks in to BGP?

From: "John van Oppen" <john () vanoppen com>
Date: Sun, 28 Jan 2007 22:44:01 -0800


Yep, that is a good strategy...   No announcement without the right
communities sure makes it much harder to leak.

We redistribute lots of static routed stuff into BGP, but only announce
globally using network statements with route map applying the right
communities.   So far, we have never leaked internal routes to
customers, peers or transit that we are aware of.

John :)

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Joe Provo
Sent: Sunday, January 28, 2007 1:12 PM
To: NANOG
Subject: Re: Route Reflector architecture and how to get small customer
blocks in to BGP?


On Sun, Jan 28, 2007 at 10:59:50AM -0700, Danny McPherson wrote:
[snip]

o If you're going to use redistribution - or not - ensure that all
external advertisement policies require explicit match of advertise
communities and default is to deny


This should be just good security policy. I think of it as a 
network-level instance of "that which is not expressly permitted 
is denied" which everyone applies for services on their hosts,
right :-)

Cheers,

Joe
-- 
             RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Current thread:

Route Reflector architecture and how to get small customer blocks in to BGP? Pete Crocker (Jan 27)
- Re: Route Reflector architecture and how to get small customer blocks in to BGP? Joe Provo (Jan 28)
  - Re: Route Reflector architecture and how to get small customer blocks in to BGP? Danny McPherson (Jan 28)
    - Re: Route Reflector architecture and how to get small customer blocks in to BGP? Steve Meuse (Jan 28)
    - Re: Route Reflector architecture and how to get small customer blocks in to BGP? Joe Provo (Jan 28)
- <Possible follow-ups>
- RE: Route Reflector architecture and how to get small customer blocks in to BGP? John van Oppen (Jan 28)