• Some handwaving about why any of this is
• When people leak a full (or even slightly full)
• The problem isn’t really address hijacking or
route theft (those are different problems)
• the problem is that routers are often
configured by crazed caffeine junkies at
• too long for poor little cisco routers with
• Knowing what to put in filters can be
• Keeping filters up-to-date can be difficult
• Announcing a new net for a customer (or a
newly-allocated net from an RIR) relies on
your peers and transit providers accepting it
• Getting transit providers’ filters updated can
• Getting peers’ filters updated sometimes
never happens (or if it does, it’s hard to tell
• More precisely, reading those updates is
annoying. Sending them is just futile, most of
individual people saying “I’ve updated your
• I am unusually grumpy, though, so this may
• If all you want to do is protect yourself
against tsunami-style leaks from peers, then
setting a maximum-prefix limit is probably
• Applying AS-PATH filters is really no more
• the update frequency is a little lower,
• An AS-PATH filter will still allow you to
receive a full leaked table if it has been
cleaned through redistribution through an
• What we really need is a unified method for
publishing the routes we want to announce:
• never having to spam your peers to tell
• being able to apply strict filters to all your
peers to protect yourself from their after-
• A description of the technical handling of
BGP updates you receive from other people,
and the BGP updates you send to others
• A language for describing routing policy
• A repository of route policy, expressed in
• the interface for updating objects is quite
• the interface for retrieving objects is quite
• One particular Routing Registry operated
• but that’s ok; there are free alternatives
• Phrase invented by Merit Networks to
describe a collection of Routing Registries
• Individual Routing Registries quite often
• “IRR” tends to mean “the set of Routing
Registries that Merit chooses to mirror”
• draft-blunk-rpslng-08, “RPSLng”, July 2004
collections of objects which have something
• aut-num (for things relating to ASes)
• Each object has an associated maintainer
• Each maintainer object has one or more
• Authentication is required to update objects
• In most Routing Registries there is no
represents routes that are allowed to be
• the RIPE registry is more advanced in this
• In general, Routing Registry data is good for
avoiding unintentional leaks, not intentional
• See RPSL specification (also, query some
registries for random ASes’ policies) for
• Contains a description of the import and
• way too much to describe in detail here
• we will just wave our hands a little bit
descr: Internet Systems Consortium, Inc.
export: to AS3557:AS-FLN announce AS3557 AND {192.5.5.0/24}
remarks: Abuse / UCE reports abuse@isc.org
• The as-set object describes a set of AS
• can be named hierarchically to avoid
members: AS23710, AS30125, AS30122, AS23709, AS27322
members: AS27318, AS27319, AS25572, AS23707, AS27320
members: AS27313, AS27321, AS30124, AS30123
members: AS3557, AS112, AS3402, AS1280, AS9327
• Route objects are used to associate routes
• AS numbers in import/export policies are
shorthand for “all routes with this origin
• You can also group collections of routes
(including covering supernets with allowable
remarks: Covering route for F.ROOT-SERVERS.NET (192.5.5.241).
remarks: Always originated from AS 3557, but part of a
remarks: anycast deployment, and hence enjoys transit from
remarks: many places. See http://f.root-servers.org/
• AS macro is the old (RIPE-181) name for
• What people are really asking is “what
expression should I put on the import line
• the convention in some circles is to
standardise all their import expressions to
something like import: from ASxxxx AS-something
• originally developed at ISI, then at RIPE,
• RtConfig is a macro expansion tool that
replaces tokens in its input stream with
• Easiest to appreciate what it is good for by
looking at examples, rather than endless
• see link in references section at end of
• It’s in FreeBSD’s ports collection
• Suppose you were peering with AS 3557 at
the PAIX in Palo Alto, and you wanted to
descr: Internet Systems Consortium, Inc.
export: to AS3557:AS-FLN announce AS3557 AND {192.5.5.0/24}
remarks: Abuse / UCE reports abuse@isc.org
[jabley@felix]% RtConfigRtConfig> @RtConfig access_list filter AS3557:AS-ISC!no access-list 100access-list 100 permit ip 128.177.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list 100 permit ip 128.177.247.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 100 permit ip 149.20.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list 100 permit ip 168.61.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list 100 permit ip 192.5.4.0 0.0.1.0 255.255.254.0 0.0.1.0access-list 100 permit ip 192.83.249.0 0.0.0.0 255.255.255.0 0.0.0.0[. lines omitted to fit in slide. ]access-list 100 permit ip 209.133.38.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 100 permit ip 209.133.117.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 100 permit ip 209.249.2.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255RtConfig>
[jabley@felix]% RtConfig -cisco_use_prefix_listsRtConfig> @RtConfig access_list filter AS3557:AS-ISC!no ip prefix-list pl100ip prefix-list pl100 permit 128.177.0.0/16ip prefix-list pl100 permit 128.177.247.0/24ip prefix-list pl100 permit 149.20.0.0/16ip prefix-list pl100 permit 168.61.0.0/16ip prefix-list pl100 permit 192.5.4.0/23 le 24ip prefix-list pl100 permit 192.83.249.0/24[. lines omitted to fit in slide. ]ip prefix-list pl100 permit 209.133.38.0/24ip prefix-list pl100 permit 209.133.117.0/24ip prefix-list pl100 permit 209.249.2.0/24ip prefix-list pl100 deny 0.0.0.0/0 le 32RtConfig>
[jabley@felix]% RtConfig -config junosRtConfig> @RtConfig access_list filter AS3557:AS-ISC policy-statement prefix-list-100 { term prefixes { from { route-filter 128.177.0.0/16 exact accept; route-filter 128.177.247.0/24 exact accept; route-filter 149.20.0.0/16 exact accept; route-filter 168.61.0.0/16 exact accept; route-filter 192.5.4.0/23 upto /24 accept; route-filter 192.83.249.0/24 exact accept;[. lines omitted to fit in slide. ] route-filter 209.133.38.0/24 exact accept; route-filter 209.133.117.0/24 exact accept; route-filter 209.249.2.0/24 exact accept; } } term catch-rest { then reject; } }
• RtConfig has many, many options to help
tailor it to individual router configuration
• names of prefix lists, access lists, route
• Can represent quite complicated policies
RtConfig being run from the command line,
• originally conceived as a tool which could
• You can use other peoples’ registries
• Choice of registry for publishing your own
• If your peers are publishing their routing
policy in a Routing Registry, you need to
• you can run your own registry and mirror
• you can insist that people use one registry
in particular (works well if you are Big and
• The principal value of retrieving policy data
from a Routing Registry is to be able to
scripts update your live network is a good
• Use RPSL data to generate filter lists and
• Generate filter lists automatically and
generate e-mail (or other beeping) when the
config in the routers differs from the config
• You can express details of your routing
policy in RPSL that are not normally visible
• use of community string attributes, local
• You don’t have to, however: you only need
to publish the bits that are useful to peers
• http://www.ripe.net/ripe/docs/databaseref-
• http://www.ripe.net/ripencc/pub-services/db/
• ftp://ftp.ripe.net/ripe/dbase/software/
CONSELHO REGIONAL DE FARMÁCIA DO ESTADO DE SANTA CATARINA – CRF/SC 1064 – TIPO 1 Leia o texto a seguir e resolva as questões de 1 a 5. 1. Assinale a alternativa correta. O texto foi escrito com o objetivo central O NÓ DA DISCÓRDIA a) Apresentar dados que mostram que o acordo ortográfico está gerando reações das partes envolvidas. Disponível em: http://revistalingua.uol.
www.epjournal.net – 2010. 8(2): 275-283 ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Why it’s interesting why women have sex A review of Cindy M. Meston and David M. Buss, Why Women Have Sex: The Psychology of Sex in Women’s Own Voices. Times Books: New York, 2009, 306 pp.,US$25.00, ISBN 978-0-8050-8834-2 (hardcover). J. Brett Smith, Evolution Working Group, University of Ala
• Some handwaving about why any of this is
• When people leak a full (or even slightly full)
• The problem isn’t really address hijacking or
route theft (those are different problems)
• the problem is that routers are often
configured by crazed caffeine junkies at
• too long for poor little cisco routers with
• Knowing what to put in filters can be
• Keeping filters up-to-date can be difficult
• Announcing a new net for a customer (or a
newly-allocated net from an RIR) relies on
your peers and transit providers accepting it
• Getting transit providers’ filters updated can
• Getting peers’ filters updated sometimes
never happens (or if it does, it’s hard to tell
• More precisely, reading those updates is
annoying. Sending them is just futile, most of
individual people saying “I’ve updated your
• I am unusually grumpy, though, so this may
• If all you want to do is protect yourself
against tsunami-style leaks from peers, then
setting a maximum-prefix limit is probably
• Applying AS-PATH filters is really no more
• the update frequency is a little lower,
• An AS-PATH filter will still allow you to
receive a full leaked table if it has been
cleaned through redistribution through an
• What we really need is a unified method for
publishing the routes we want to announce:
• never having to spam your peers to tell
• being able to apply strict filters to all your
peers to protect yourself from their after-
• A description of the technical handling of
BGP updates you receive from other people,
and the BGP updates you send to others
• A language for describing routing policy
• A repository of route policy, expressed in
• the interface for updating objects is quite
• the interface for retrieving objects is quite
• One particular Routing Registry operated
• but that’s ok; there are free alternatives
• Phrase invented by Merit Networks to
describe a collection of Routing Registries
• Individual Routing Registries quite often
• “IRR” tends to mean “the set of Routing
Registries that Merit chooses to mirror”
• draft-blunk-rpslng-08, “RPSLng”, July 2004
collections of objects which have something
• aut-num (for things relating to ASes)
• Each object has an associated maintainer
• Each maintainer object has one or more
• Authentication is required to update objects
• In most Routing Registries there is no
represents routes that are allowed to be
• the RIPE registry is more advanced in this
• In general, Routing Registry data is good for
avoiding unintentional leaks, not intentional
• See RPSL specification (also, query some
registries for random ASes’ policies) for
• Contains a description of the import and
• way too much to describe in detail here
• we will just wave our hands a little bit
descr: Internet Systems Consortium, Inc.