[181660] in North American Network Operators' Group
Re: Route leak in Bangladesh
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Tue Jun 30 11:28:34 2015
X-Original-To: nanog@nanog.org
Date: Tue, 30 Jun 2015 11:28:15 -0400 (EDT)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: North American Network Operators' Group <nanog@nanog.org>
In-Reply-To: <E37EC802-5F18-41E3-BDA3-F12AB3D0A4F5@tislabs.com>
Errors-To: nanog-bounces@nanog.org
On Tue, 30 Jun 2015, Sandra Murphy wrote:
> On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner@cluebyfour.org> wrote:
>> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s)
>> and your downstream customer ASNs. Whether this is done manually,
>> built using AS-SETs from your route registry of choice, or through some
>> other automated means is another story.
>>
>
> That sort of AS_PATH filtering would not have helped in this case. The
> AS originated the routes, it did not propagate an upstream route.
I didn't realise they offending AS was originating those routes, rather
than propagating the existing ones.
> So an AS_PATH filter to just its own AS would have passed these routes.
That's why I suggested it as a minimum precaution. When I worked in the
service provider world, we did prefix + AS-PATH filtering + max-prefix,
which was pretty effective in keeping BGP-borne madness down to a dull
roar. Would that stop everything? No, but it did help a lot. I still
work in a BGP-speaking organization - just not one that has downstream
BGP-speaking customers at this point.
> You would need origin validation on your outbound routes. Job
> suggested prefix filters on outbound routes. (If you are doing prefix
> filters on your inbound customer links, it might be excessive caution to
> also prefix filter customers prefixes on outbound links? Or is it: you
> can never be too careful, belt-and-suspenders, measure twice, etc?)
It depends on how much automation can be done to update the
necessary filters and AS-PATH ACLs, and how much you trust both the
automation method and the data source for those filters.
jms
