* Daniel Ouellet <dan...@presscom.net> [2009-09-15 19:14]: >>> If I may ask here. One thing that would be nice for the records is to >>> get a little bit more details on your setup doing that if you have >>> no problem providing it obviously. Specially the PF configuration >>> tie to this bgp router as well may well be very educating to many. >> >> it doesn't run pf. > > Interesting! I always thought that a minimum of PF was in use. > > So, if I may ask, how you do some minimum like: > > ip verify unicast source reachable-via any > > for announcement to you from multiple BGP sources or even: > > ip verify unicast source reachable-via rx > > for announcement from a single and uniq bgp source then?
i dunno what that is supposed to be, i haven't touched a cisco in years and don't plan to do it again. > No ban of not valid or spoof IP block then? nullroutes > What about letting in only valid destination IP's or letting out valid > originating IP's out then? No filter for it at all as no PF is there to > do this? in general this happens on the next layer, the actual firewalls. > I obviously wrongly assume there was a minimum of PF in use as well, > witch I see I was wrong to think so. I thought PF was use to validate > traffic, letting only valid IP's in/out and not accepting range of not > valid BGP announcement as well. Is there a way to do this that I may > obviously have miss by not doing it via PF? you know nothing about that setup and make invalid assumptions. i won't elaborate more on this setup, it's not mine, we just run some stuff for them. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam