[6bone] Re : Filtering

Bernhard Schmidt berni@birkenwald.de
Wed, 20 Nov 2002 00:54:31 +0100

Previous message: [6bone] Re : Filtering
Next message: [6bone] IETF-55 meeting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 19, 2002 at 10:36:39PM +0100, Laurent - Forum-auto.com wrote:

Hi Laurent,

> >> transit to many AS? wow ;)
> If I were you I would not laught about that... You should be very happy
> that Ndsoftware seems not to have apply such a filter... 

If I were you I would be happy that NDsoftware has not applied such a
filter (or at least removed it), it would probably have been the end of
NDs pTLA at all (I believe most people would have filtered him after
doing such a crap). You probably do not understand the difference
between Christian's way of filtering and Nicolas' way.

Christian drops the whole ND pTLA in his BGP, so 3ffe:4013::/32
is just nonexistent to him. 

Nicolas instead does not filter on BGP level (because we do not announce
2001:768:1800::/40 so he can't filter it, pretty easy heh?) but on
Layer3/4 with some packet filtering. The network he wants to blackhole
(2001:768:1800::/40) is a subset of our prefix (2001:768::/32), which he
accepts and announces to other peers.

Now for the difference... viewed only from the local system both ways
have the same effect... the filtered prefix is just not available.
Christian cannot reach Nicolas because he has no route for this, and
Nicolas cannot reach Christian because he filtered it in a packet filter
or something like that.

But now we assume both have a "multihomed" downstream (multihomed
because they have bgp sessions to two or more IPv6 ASes and therefor are
computing the used upstream by bgp prefixes... or they provide transit
to other providers and so on)

Christian does not announce 3ffe:4013::/32 to his downstream. If the
downstream has another peer he will probably get the prefix from the other
upstream and go this way. So his downstream can reach NDs if he wants to.

We remember, Nicolas has no 2001:768:1800::/40 to filter out, because
there is no such prefix to filter. He announces the complete Cybernet
prefix (2001:768::/32) to his downstream and is attracting traffic to
Cybernet into his AS. There he dumps packets to Christian.

The difference is easily visable if you look from the downstream's point
of view. Christian says "I have no information how to reach
3ffe:4013::/32, don't route this prefix to me". Nicolas says "Yes, I can
reach 2001:768::/32 (and that means _the_ _whole_ 2001:768::/32), just 
give it to me" and then dumps traffic to parts of this prefix. You see
the difference?

> Moreover, the Ipv6-FR project is not a hoax ;) Ndsoftware help ipv6 to
> be developped in France, as you can see it in this news from an
> important Data Center in France (Paris)

Great, just one more advertising a nonexistant exchange point. I'm gonna
shoot myself tomorrow, I'm just too tired right now, okay?

TeleCity would probably announce that their cleaning personel found a
lost screw in the datacenter if it would keep them in the news. 

-- 
   bye bye
     Bernhard

Previous message: [6bone] Re : Filtering
Next message: [6bone] IETF-55 meeting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]