North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: peer "sanity" filters - best practices?
well... everyone has different ways of doing it. basicly we do the following. for the larger peers, ie cw, uunet, bbn, sprint, we filter them via as-path ie for uunet, we would filter _1239_ _1_ and _3561_ we set this up after a large internet router company leaked full routes to ^1239_. for all other peers we filter _701_ _1239_ _1_ and _3561_. next, we max-prefix all peers. this stops route-leaks. yes, sometimes a peer gets shutdown because they just got a large new customer but i would put this at about 1 in 100. the other times are because of poor filtering. we filter RFC1918, default and reserved blocks. anyone notice that there are companies using ips from IANA-Reserved? of course we dont see them anymore. we also filter out things like 64/8. this is due to mis-config on the isp side. no one should be sending 64/8. lastly, we filter at the /24 level. this should be a good start for anyone looking to do filtering. Christian