> If I blackhole/sinkhole an external-to-my-ARIN-block IP that is

> attacking my network, I'm deathly afraid that I may accidentally
> advertise it to a peer.

Hadn't thought about it, but yeah, requiring a very long prefix
length before appending RTBH prefixes would be a good safety 
measure.

> I *never* assume that my upstream is doing proper filtering, so
> I *always* ensure that I can only allow out what I should be
> sending out.
> 
> Is this paranoia too far fetched?

Nope. Even with 'good' route-maps in place, a 'prefix-list out'
directly on the neighbor still makes be feel good. (Similarly,
as a stub network, we always add no-exports for imports from
all eBGP sessions as well).

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to