> If I blackhole/sinkhole an external-to-my-ARIN-block IP that is > attacking my network, I'm deathly afraid that I may accidentally > advertise it to a peer.
Hadn't thought about it, but yeah, requiring a very long prefix length before appending RTBH prefixes would be a good safety measure. > I *never* assume that my upstream is doing proper filtering, so > I *always* ensure that I can only allow out what I should be > sending out. > > Is this paranoia too far fetched? Nope. Even with 'good' route-maps in place, a 'prefix-list out' directly on the neighbor still makes be feel good. (Similarly, as a stub network, we always add no-exports for imports from all eBGP sessions as well). _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
