[189845] in North American Network Operators' Group
Re: Bogon ASN Filter Policy
daemon@ATHENA.MIT.EDU (Arnold Nipper)
Wed Jun 8 01:36:53 2016
X-Original-To: nanog@nanog.org
To: Jay Borkenhagen <jayb@att.com>, nanog@nanog.org
From: Arnold Nipper <arnold@nipper.de>
Date: Wed, 8 Jun 2016 07:36:40 +0200
In-Reply-To: <22353.33101.968191.138056@oz.mt.att.com>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--5gfbQuj9qtjalCDBTpWuWQcA9wxmBwvm6
From: Arnold Nipper <arnold@nipper.de>
To: Jay Borkenhagen <jayb@att.com>, nanog@nanog.org
Cc: Arnold Nipper <arnold@nipper.de>
Message-ID: <82502792-912e-b6df-6477-27f6ba573222@nipper.de>
Subject: Re: Bogon ASN Filter Policy
References: <20160602194138.GM15096@57.rev.meerval.net>
<b1f7e917-7874-c084-2b56-55cc457d4ac2@gtt.net>
<22353.33101.968191.138056@oz.mt.att.com>
In-Reply-To: <22353.33101.968191.138056@oz.mt.att.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 03.06.2016 15:08, Jay Borkenhagen wrote:
> AT&T/as7018 is also now in the process of updating its as-path bogon
> filters to match those cited below. We have long employed such
> filters, and our changes at this time are primarily to extend them to
> prohibit as23456 and the reserved blocks > as65535.
>=20
> So to Job and Adam and anyone else who deploys such filters: Thanks!
> I would like to extend to you this laurel, and hearty handshake...
>=20
Well done, NTT, GTT, AT&T. You may want to notice that most of the IXP
around the world which operate route servers since long do strict
filtering. Both on ASN as well as on prefixes. So it's really nice to
see, that the big ISP take care as well now.
As I have learnt yesterday at ENOG11 a way more challenging issue is to
cope with route leaks.
Cheers and cu in chi
Arnold
>=20
> On 02-June-2016, Adam Davenport writes:
> > I personally applaud this effort as initiatives like this that help =
> > prevent the global propagation of Bogons and other "bad things" only=
=20
> > serves to help us all. With that said, notice went out to potential=
ly=20
> > affected GTT / AS3257 customers this week that by the end of June we=
too=20
> > will be filtering prefixes that contain any of the Bogon ASNs listed=
=20
> > below in the in the as-path. I highly encourage other networks to=20
> > follow suit, as again it only helps us all.
> >=20
> > Thanks Job for kicking this one off, and I look forward to others to=
=20
> > doing the same!
> >=20
> > Adam Davenport / adam.davenport@gtt.net
> >=20
> > =20
> >=20
> > On 6/2/16 3:41 PM, Job Snijders wrote:
> > > Dear fellow network operators,
> > >
> > > In July 2016, NTT Communications' Global IP Network AS2914 will de=
ploy a
> > > new routing policy to block Bogon ASNs from its view of the defaul=
t-free
> > > zone. This notification is provided as a courtesy to the network
> > > community at large.
> > >
> > > After the Bogon ASN filter policy has been deployed, AS 2914 will =
not
> > > accept route announcements from any eBGP neighbor which contains a=
Bogon
> > > ASN anywhere in the AS_PATH or its atomic aggregate attribute.
> > >
> > > The reasoning behind this policy is twofold:
> > >
> > > - Private or Reserved ASNs have no place in the public DFZ. B=
arring
> > > these from the DFZ helps improve accountability and dampen
> > > accidental exposure of internal routing artifacts.
> > >
> > > - All AS2914 devices support 4-byte ASNs. Any occurrence of "=
23456"
> > > in the DFZ is a either a misconfiguration or software issue=
=2E
> > >
> > > We are undertaking this effort to improve the quality of routing d=
ata as
> > > part of the global ecosystem. This should improve the security pos=
ture
> > > and provide additional certainty [1] to those undertaking network
> > > troubleshooting.
> > >
> > > Bogon ASNs are currently defined as following:
> > >
> > > 0 # Reserved RFC7607
> > > 23456 # AS_TRANS RFC6793
> > > 64496-64511 # Reserved for use in docs and code R=
FC5398
> > > 64512-65534 # Reserved for Private Use RFC6996
> > > 65535 # Reserved RFC7300
> > > 65536-65551 # Reserved for use in docs and code R=
FC5398
> > > 65552-131071 # Reserved
> > > 4200000000-4294967294 # Reserved for Private Use RFC6996
> > > 4294967295 # Reserved RFC7300
> > >
> > > A current overview of what are considered Bogon ASNs is maintained=
at
> > > NTT's Routing Policies page [2]. The IANA Autonomous System Number=
> > > Registry [3] is closely tracked and the NTT Bogon ASN definitions =
are
> > > updated accordingly.
> > >
> > > We encourage network operators to consider deploying similar polic=
ies.
> > > Configuration examples for various platforms can be found here [4]=
=2E
> > >
> > > NTT staff is monitoring current occurrences of Bogon ASNs in the r=
outing
> > > system and reaching out to impacted parties on a weekly basis.
> > >
> > > Kind regards,
> > >
> > > Job
> > >
> > > Contact persons:
> > >
> > > Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>,
> > > NTT Communications NOC <noc@ntt.net>
> > >
> > > References:
> > > [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00=
> > > [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon
> > > [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
> > > [4]: http://as2914.net/bogon_asns/configuration_examples.txt
>=20
--=20
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold@nipper.de phone: +49 6224 5593407 2
mobile: +49 172 2650958 fax: +49 6224 5593407 9
--5gfbQuj9qtjalCDBTpWuWQcA9wxmBwvm6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAldXrugACgkQrz6CwpRB/EzYxQCbB2Gt4K9RPcdRB3JzU6MyRrhr
AjcAn3pr/4gyTEXWXPm3dm9fv0vupD2+
=XcsZ
-----END PGP SIGNATURE-----
--5gfbQuj9qtjalCDBTpWuWQcA9wxmBwvm6--
