[181658] in North American Network Operators' Group
Re: Route leak in Bangladesh
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Tue Jun 30 11:04:51 2015
X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
Date: Tue, 30 Jun 2015 16:04:35 +0100
From: Nick Hilliard <nick@foobar.org>
To: Mark Tinka <mark.tinka@seacom.mu>, Matsuzaki Yoshinobu <maz@iij.ad.jp>,
nanog@nanog.org
In-Reply-To: <559299D5.4010700@seacom.mu>
Errors-To: nanog-bounces@nanog.org
On 30/06/2015 14:29, Mark Tinka wrote:
> - Get your downstreams to create route objects before you turn them up.
> - Get your provisioning teams to validate the prefixes being
> provided by your downstreams.
> - Use both prefix- and AS_PATH-based filters for your downstreams.
> - Use BGP communities (as you've stated).
> - No exceptions.
plus:
- fully automate ingress prefix management
- use maxprefixes with manual reenable on all ebgp sessions
I've been caught with fully automated IRR based per-session prefix
filtering where the customer put the IXP AS macro into their AS macro.
When the customer did a 7007 on this, we accepted everything that they
announced back to us, oy vey.
So you need both.
Nick
