[6bone] In the summer time, we got cleaning to do... Where is UUNET?

John Fraizer tvo@EnterZone.Net
Fri, 2 Aug 2002 13:12:47 -0400 (EDT)

Previous message: [6bone] In the summer time, we got cleaning to do... Where is UUNET?
Next message: [6bone] In the summer time, we got cleaning to do... Where is UUNET?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 Aug 2002, Michel Py wrote:

> John,
> 
> > John Fraizier wrote:
> > (We'll use your peering session as an example Michel)
> > Any comments appreciated.
> 
> - I am happy to see the addition of "set community no-export additive".
> 
> - I think you should drop seq 20 2000::/3 ge 16 le 16
> 
> - As someone else mentioned, the "subTLA-only" name might not be
> appropriate.
> 
> - There is overlap in the following two lines:
> neighbor 3ffe:1ced:ff02::2 prefix-list AS-ARNEILLPY in
> neighbor 3ffe:1ced:ff02::2 route-map AS-ARNEILLPY in
> The prefix-list is useless as the route-map uses it IMHO.
> 

Michel, actually, if you look at our config for your peering session, the
prefix-list actually does do something.  Since I use a "canned" route-map
for all peers, I have to use the neighbor 3ffe:1ced:ff02::2 prefix-list
AS-ARNEILLPY in on your peering session.

Notice in the route-map below, it would accept ANY prefix from you and
redistribute it as long as it passed prefix-list subTLA-only.

route-map AS-ARNEILLPY permit 10
 match ipv6 address prefix-list subTLA-only
!
route-map AS-ARNEILLPY permit 20
 match ipv6 address prefix-list AS-ARNEILLPY
 set community no-export additive

Since I'm prefix-list filtering you in the neighbor statement, we will
only allow prefixes from you that pass prefix-list AS-ARNEILLPY to pass on
to the route-map.  Once there, the match in stanza 20 sets the no-export
(in your case.)

This is simply to prevent you from accidently leaking transit routes to
me.

For peers that we do transit:transit peering with, they don't have a
"prefix-list [peername] in" filter and the prefix-list [peername] is
simply used to allow "more specifics" that won't pass the subTLA-only
filter.  Those more specifics are tagged no-export then.

Do you see the reasoning now?  This way, every "transit:transit" peer is
configured the same and every "customer:customer" peer is configured the
same way.  The route-map is the same for every peer, period.  It makes
life more simple.

> 
> router bgp 13944
>  neighbor 3ffe:1ced:ff02::2 remote-as 23169
>  neighbor 3ffe:1ced:ff02::2 description ARNEILLPY
>  no neighbor 3ffe:1ced:ff02::2 activate
> !
>  address-family ipv6
>  neighbor 3ffe:1ced:ff02::2 activate
>  neighbor 3ffe:1ced:ff02::2 next-hop-self
>  neighbor 3ffe:1ced:ff02::2 route-map AS-ARNEILLPY-IN in
>  neighbor 3ffe:1ced:ff02::2 route-map AS-ARNEILLPY-OUT out
>  exit-address-family
> !
> ipv6 prefix-list AS-ARNEILLPY seq 5 permit 3ffe:1ced:a002::/48
> !
> ipv6 prefix-list MYPREFIX seq 5 permit 3ffe:1ced::/32
> !
> ipv6 prefix-list STRICT seq 5 permit 3ffe::/18 ge 24 le 24
> ipv6 prefix-list STRICT seq 10 permit 3ffe:4000::/18 ge 32 le 32
> ipv6 prefix-list STRICT seq 15 permit 3ffe:8000::/20 ge 28 le 28
> ipv6 prefix-list STRICT seq 20 permit 2001::/16 ge 29 le 35
> ipv6 prefix-list STRICT seq 500 deny any
> !
> ipv6 prefix-list SIXTOFOUR seq 5 permit 2002::/16
> !
> route-map AS-ARNEILLPY-IN deny 10
>  description deny the peer feeding me my own prefix
>  match ipv6 address prefix-list MYPREFIX
> !
> route-map AS-ARNEILLPY-IN permit 20
>  description generic filter
>  match ipv6 address prefix-list STRICT
> !
> route-map AS-ARNEILLPY-IN permit 30
>  description accept other prefixes, don't redistribute
>  match ipv6 address prefix-list AS-ARNEILLPY
>  set community no-export additive
> !
> !
> route-map AS-ARNEILLPY-OUT permit 10
>  description generic filter
>  match ipv6 address prefix-list STRICT
> !
> route-map AS-ARNEILLPY-OUT permit 20
>  description feed _my_ 6to4 route only to the peer
>  match ipv6 address prefix-list SIXTOFOUR
>  match ** whatever condition that says the 6to4 route is yours **
>  set community no-export additive
> !
> 
> 
> Michel.

That works fine except that it doesn't prevent you from accidently leaking
transit to us.  We'd gladly accept any route you sent us that passed
prefix-list STRICT.

The one thing I noticed is the deny stanza, something that I forgot in
mine.  I don't know how.  I always do that on our v4 stuff.  I'll have to
modify the route-maps to add that.  Thanks for reminding me!

---
John Fraizer              | High-Security Datacenter Services |
EnterZone, Inc            | Dedicated circuits 64k - 155M OC3 |
http://www.enterzone.net/ | Virtual, Dedicated, Colocation    |

Previous message: [6bone] In the summer time, we got cleaning to do... Where is UUNET?
Next message: [6bone] In the summer time, we got cleaning to do... Where is UUNET?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]