[170737] in North American Network Operators' Group
Re: BGPMON Alert Questions
daemon@ATHENA.MIT.EDU (Mark Tinka)
Sat Apr 5 07:22:01 2014
From: Mark Tinka <mark.tinka@seacom.mu>
To: Sharon Goldberg <goldbe@cs.bu.edu>
Date: Sat, 5 Apr 2014 13:21:20 +0200
In-Reply-To: <CAJHGrrRF3zKwx7T7vQORx1xjqV8YDqMAWbJf4V0yU6Dvw56BdQ@mail.gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>,
Frank Bulk <fbulk@mypremieronline.com>
Reply-To: mark.tinka@seacom.mu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart7204037.koXSnTJBKj
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
On Friday, April 04, 2014 05:17:36 PM Sharon Goldberg wrote:
> Right, we didn't include that in our analysis because we
> didn't have a good sense for how many ISPs actually do
> filter their downstream downstreams. So we chose to give
> a conservative estimate of the impact of prefix
> filtering in partial deployment: we assumed that no one
> filters their downstreams downstreams. I'm honestly not
> sure exactly what including this assumption would do to
> our results, except to say that it would make them
> better (ie. that more attacks would be stopped). Might
> be a good experiment for one of my summer interns.
I've typically been on the side where we filter just the=20
downstream and apply AS_PATH filtering liberally for their=20
downstreams.
At $current_job, we're now filtering both downstream and=20
downstream's downstreams on AS_PATH + prefix list, taking=20
the prefix aggregate and suffixing "le 24" or "le 48".
We are now thinking about how to scale this without using=20
RPSL, as that creates lots and lots of clutter in the=20
configuration, as well as sub-optimal forwarding when=20
customers are sending routes you aren't accepting when they=20
forget that RPSL-based filtering is prefix-specific.
Mark.
--nextPart7204037.koXSnTJBKj
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQIcBAABAgAGBQJTP+cxAAoJEGcZuYTeKm+Ga7wP/29p2IADd4TZPTQ5+Nf04lQt
yOnDVxSCyj4KCFxfK0OGN0kZt2xDb1S6IajjlWQv0bNJ2c2OF/vGLay9tNPYJWR5
TL63VCQ+ccrlXJo0RVVXbH/fOSTOaaGQZbphBgzg/sHaGBkH1LisNRXQndOUGlTh
V/5HCikni+mndYZGX6GzEWfdQNK5JX78uATUwNk3u1BmEutky2JTAnaEDJEBJcOz
TzpYkIEZuMzgnV+YHfDfO5wpbhy1d00j0COEkYa6xYDx1v/Q5XMcozRUyNAwdxOS
IJriDlMejL+LwnX/qTUnbvVvLiVGaghL7/qBOYSC50SGIR8hM3jwfmFyKXMhVk5r
nZuIe6N0n1urUJRT5zJvEtQ3CGytBSArNY9G9KFDzog0CuNqp0BGEoBRDhfEZ92j
KKqrQtg8o2hn4qYY2yVGGPMs5O19c3mfh9jgerEvFyJuYKbdMKG+oeWGcq123nBl
qitRFJR6vetOx4wIC7QTFNfarcTkqeZu6SnQs46uqLvrkWgTymzeoTrQTEPhdYx7
NtlPVzGvfjPMXm2BlHQZr3Z8PL7dQebJvTHffMppAtVJKNb0Q1tvSSuu6jq4g147
55+/m+kJkCUV9KRZAqXMPxiCG/SRIDSGRXQG65QZ9nGIYiAjXqIvZinAUt0t1nqF
Gos4OPA1/iGYaG9dMaMl
=8qjI
-----END PGP SIGNATURE-----
--nextPart7204037.koXSnTJBKj--
