[158945] in North American Network Operators' Group
Re: Strict route filtering at IX?
daemon@ATHENA.MIT.EDU (Andy Davidson)
Mon Dec 17 06:42:43 2012
From: Andy Davidson <andy@nosignal.org>
To: Dan Luedtke <mail@danrl.de>
Date: Mon, 17 Dec 2012 11:42:17 +0000
In-Reply-To: <20121212122209.1f2b08e7@marvin.nonattached.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, Dan --
On 12/12/2012 11:22, "Dan Luedtke" <mail@danrl.de> wrote:
>So, here's the question: How do you filter at exchanges?
>Where is the error in my workflow?
>Is strict route filtering a myth?
You can see if the route-servers at the IX already filter. For example,
this is the case at LONAP, where strict filters against RADB are built.
Networks with open policy and large numbers of peers will naturally find
it hard to filter peer *prefixes* on session config, because as you have
found the config quickly becomes large and unwieldy. As Arnold has said,
filtering with max-prefix and AS-path is more common on bilateral sessions.
My advice would be to encourage your IX operator to filter on the
route-servers, and rely on MLP derived adjacency for networks that you
want to peer with, but don't trust enough not to prefix-filter.
Andy
