[181657] in North American Network Operators' Group
Re: Route leak in Bangladesh
daemon@ATHENA.MIT.EDU (Sandra Murphy)
Tue Jun 30 10:53:56 2015
X-Original-To: nanog@nanog.org
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <Pine.LNX.4.64.1506301036460.18224@whammy.cluebyfour.org>
Date: Tue, 30 Jun 2015 10:53:45 -0400
To: North American Network Operators' Group <nanog@nanog.org>
Cc: Sandra Murphy <sandy@tislabs.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_838BC519-B5A7-4892-866B-C2C68690B64E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" =
<streiner@cluebyfour.org> wrote:
> On Tue, 30 Jun 2015, Matsuzaki Yoshinobu wrote:
>=20
>> Randy Bush <randy@psg.com> wrote
>>>> A friend in AS58587 confirmed that this was caused by a =
configuration
>>>> error - it seems like related to redistribution, and they already
>>>> fixed that.
>>>=20
>>> 7007 all over again. do not redistribute bgp into igp. do not
>>> redistribute igp into bgp.
>>=20
>> I also suggested them to implement BGP community based route =
filtering
>> in their outbound policy. Any other suggestions or thoughts to
>> prevent such incidents in general?
>=20
> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) =
and your downstream customer ASNs. Whether this is done manually, built =
using AS-SETs from your route registry of choice, or through some other
> automated means is another story.
>=20
That sort of AS_PATH filtering would not have helped in this case. The =
AS originated the routes, it did not propagate an upstream route.
So an AS_PATH filter to just its own AS would have passed these routes.
You would need origin validation on your outbound routes. Job suggested =
prefix filters on outbound routes. (If you are doing prefix filters on =
your inbound customer links, it might be excessive caution to also =
prefix filter customers prefixes on outbound links? Or is it: you can =
never be too careful, belt-and-suspenders, measure twice, etc?)
--Sandy
--Apple-Mail=_838BC519-B5A7-4892-866B-C2C68690B64E
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVkq15AAoJEHplpQeet0IZPPgP/1qDtj/kLzrELWCEQW5KcsBH
fdmxtLkhJZbiltb9Ws3KG003S4KqTGDW9qAL8NFoL6HlIUjGt8qy94jjfVkgLCNF
bfV0yLV8M+g4hequpesgROVbeMyNBYXdBT48sbxSooeTurPGxMWXOCpd9KlwpzPs
Y92uNuQVmckdZO71a8q1116bE0B0wODTSRQJFK6+fwY2ebVnJroBqhbWHuzUfLrc
AGe7CADucf4znrShDvOAL0wPDMQjsiDWd2VbnLbXP9GuQ0CVhjKoT7Cr5/UGbkYf
U6lhIOrDwg3Q9aDE617uSWnqTJrg2Ta6gWCNy1IcwRaht5G3T+KqrZLSbulSkGKd
LzjIOnKaWzgDmGp3grFACkJBNaYGxtfYSfho8trtKh0IBxVZlYwL9xjgKJpoauU5
QwXoxXuZESYoCWRsiax0m7rAb5ZaUzH/Nregs57Ei5FWWNhCjE/ZuwhYSlhmbRWC
jMKsPNcjIkHMbEZB9VjzsmLnvVDkYAri3CWjr0FAtz6G5dc6dB3RfC6i9wJ+emIS
6i4/DB0MOfHyLkJwvt7l9+nmjslkl3YAIHsQNasb6zJaPMa4yJIT5Rejwf16eHOk
CH3mKdL0mKCT4t7ukDzQIAu24iWgWsOUIrgfntvkcuEj28NgVDTpnK3SJEnaXmoB
csT4iPxTXSBDlsu7h0uh
=taRU
-----END PGP SIGNATURE-----
--Apple-Mail=_838BC519-B5A7-4892-866B-C2C68690B64E--
