nanog mailing list archives
Re: Request comment: list of IPs to block outbound
From: Chris Jones <chrisj () aprole com>
Date: Fri, 18 Oct 2019 20:50:17 +0000
On 19 Oct 2019, at 04:42, Saku Ytti <saku () ytti fi> wrote: On Fri, 18 Oct 2019 at 20:15, Lukas Tribus <lists () ltri eu> wrote:This has the potential to brake things, because it requires symmetry and perfect IRR accuracy. Just because the prefix would be rejected by BGP does not mean there is not a legitimate announcement for it in the DFZ (which is the exact difference between uRPF loose mode and the ACL approach).It's interesting to also think, when is good time to break things. CustomerA buys transit from ProviderB and ProviderA CustomerA gets new prefix, but does not appropriately register it. ProviderB doesn't filter anything, so it works. ProviderA does filter and does not accept this new prefix. Neither Provider has ACL. Some time passes, and ProviderB connection goes down, the new prefix, which is now old prefix experiences total outage. CustomerA is not happy. Would it have been better, if ProviderA would have ACLd the traffic from CustomerA? Forcing the problem to be evident when the prefix is young and not in production. Or was it better that it broke later on?
Having been through this exact situation recently (made worse by the fact that it was caused by provider b’s upstreams not having updated their filters and not provider b itself), I would suggest its 100 times better for it to happen right at the start rather than randomly down the track
-- ++ytti
Current thread:
- Re: Request comment: list of IPs to block outbound, (continued)
- Re: Request comment: list of IPs to block outbound William Herrin (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Måns Nilsson (Oct 22)
- Re: Request comment: list of IPs to block outbound Enno Rey (Oct 13)
- Re: Request comment: list of IPs to block outbound Grant Taylor via NANOG (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- Re: Request comment: list of IPs to block outbound Vincent Bernat (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 15)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 18)
- Re: Request comment: list of IPs to block outbound Chris Jones (Oct 18)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 19)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 20)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 20)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 13)
- RE: Request comment: list of IPs to block outbound adamv0025 (Oct 21)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 22)
- RE: Request comment: list of IPs to block outbound adamv0025 (Oct 22)
- Re: Request comment: list of IPs to block outbound William Herrin (Oct 13)