[102735] in North American Network Operators' Group
Re: BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]
daemon@ATHENA.MIT.EDU (Pekka Savola)
Mon Feb 25 14:24:41 2008
Date: Mon, 25 Feb 2008 21:19:19 +0200 (EET)
From: Pekka Savola <pekkas@netcore.fi>
To: Danny McPherson <danny@tcb.net>
cc: NANOG NANOG <nanog@merit.edu>
In-Reply-To: <C80D946E-1A05-4C7D-8A39-A7361352734A@tcb.net>
Errors-To: owner-nanog@merit.edu
On Mon, 25 Feb 2008, Danny McPherson wrote:
>> (Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix
>> filtered, based on RIPE IRR data (with one exception). IPv4 peers'
>> advertisements seem to be too big a mess, and too long filters, to fix this
>> way.)
>
> Do you explicitly filter routes from your upstream or transit providers?
> E.g., if one were to announce, say, a more specific of one of your
> customer's routes to you would you accept it? What about someone
> else's address space?
Our own or our singlehomed customers' address space -- we would reject
such an advertisement. The same inbound consistency check applies to
peers and upstreams/transits.
If it's someone else's or a more specific or the same prefix as our
multihomed customers -- we accept it. There isn't anything else we
can do in practise which would not hurt legitimate routing..
> It was extremely painful at times, even for us, if we wanted to
> advertise new address space we had to update IRR objects and
> wait on their nightly push of updated routing policies at ANS. We
> generated our own routing policies automatically off our IRR, which
> mirrored others as well, and explicitly prefix filtered customers with
> some fixed prefix and AS path-based policies applied to peers. If it
> became really urgent, then we'd call ANS and have them manually
> update their policy, and subsequently 'bounce' the route
> announcement to trigger transmission of a new update.
Sounds like a procedure that should be applied today (whether or not
you want to use IRR and/or autogenerated configs is a matter of taste)
but the principle seems sound.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
