On Friday 25 January 2008 03:00, Peter E. Fry wrote: > I'm curious myself... > I guess URPF doesn't fit your needs? I'm not sure how > a community match would differ a whole lot. Sadly > enough, the best method I can think of offhand would be > to run two filters -- one general and one specific to the > customer link.
This is how we do it as well. Have a general outbound prefix-list to BGP customers that's secure enough, but if a customer needs to use your automated blackholing BGP community, you may build a more specific one for them that includes only their prefixes, so you don't have your "evil" customers potentially blackholing routes they do not own. The configuration could grow, but perhaps automating this process (via RPSL, and making sure your customers "talk" to at least one RR) is one way forward. Cheers, Mark.
pgpsm5bdvZ8Pg.pgp
Description: PGP signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
