[181659] in North American Network Operators' Group
Re: Route leak in Bangladesh
daemon@ATHENA.MIT.EDU (Job Snijders)
Tue Jun 30 11:09:36 2015
X-Original-To: nanog@nanog.org
Date: Tue, 30 Jun 2015 17:09:29 +0200
From: Job Snijders <job@instituut.net>
To: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <E37EC802-5F18-41E3-BDA3-F12AB3D0A4F5@tislabs.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Jun 30, 2015 at 10:53:45AM -0400, Sandra Murphy wrote:
> That sort of AS_PATH filtering would not have helped in this case.
> The AS originated the routes, it did not propagate an upstream route.
>
> So an AS_PATH filter to just its own AS would have passed these
> routes.
>
> You would need origin validation on your outbound routes. Job
> suggested prefix filters on outbound routes. (If you are doing prefix
> filters on your inbound customer links, it might be excessive caution
> to also prefix filter customers prefixes on outbound links? Or is it:
> you can never be too careful, belt-and-suspenders, measure twice,
> etc?)
I wouldn't consider it to be excessive caution to bring more safeguards
to the game, you never know when diarrhea will strike.
If you were the network causing a leak of this type, prefix filters on
inbound facing your customers might not have prevented this.
If you are a network providing transit to the leak originator mentioned
in the above paragraph, I believe a prefix based filter could have made
a big difference.
Kind regards,
Job
