[189950] in North American Network Operators' Group
Re: intra-AS messaging for route leak prevention
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Fri Jun 10 13:38:28 2016
X-Original-To: nanog@nanog.org
Date: Fri, 10 Jun 2016 10:34:59 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org, Joe Provo <nanog-post@rsuc.gweep.net>
Mail-Followup-To: nanog@nanog.org, Joe Provo <nanog-post@rsuc.gweep.net>
In-Reply-To: <20160610085017.GF2524@Vurt.local>
Errors-To: nanog-bounces@nanog.org
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Fri, Jun 10, 2016 at 10:50:17AM +0200, Job Snijders=
wrote:
> You say 'often', but I don't recognise that design pattern from my own
> experience. A weakness with the egress point (in context of route leak
> prevention) is that if you are filtering there, its already too late. If
> you are trying to prevent route leaks on egress, you have already
> accepted the leaked routes somewhere, and those leaked routes are best
> path somewhere in your network, which means you've lost.
It does mean the provider creating the leak has already lost, but
that doesn't mean it still isn't vital to protecting the larger
internet. A good example of this is fire code. Most fire codes
do not do much to prevent you from starting a fire in your own
house/condo/apartment, but rather prevent it from spreading to your
neighbors.
For instance, if you filter Customer A to A's Prefix list on ingress,
B to B's, C to C's, it may also be prudent to filter outbound to
your peers based on A+B+C's prefix list. When the ingress filter
to A fails (typo, bug, bad engineer), your own network is hosed by
whatever junk A ingested, but at least you won't pass it on to peers
and spoil the rest of the Internet.
Basically both ingress and egress filtering have weaknesses, and
in some cases doing both can provide some mitigation. It's the old
adage "belt and suspenders".
--=20
Leo Bicknell - bicknell@ufp.org
PGP keys at http://www.ufp.org/~bicknell/
--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBV1r6Q7N3O8aJIdTMAQJoxg/+IAScv9iOaXIlQLCHI/aIfSUeb1KTuT9r
LldyzXfAEmKZ0xDSa1n+BaF6nnL8ZPEcOdGUYLsNwc2+zk9PsU83cxF/4XWmSEuz
PoDRE4DbTvHDb2WKtORSe93XVfEpPI0O63PwsK+onMFo2MwSkWTuckYlk0xJSqga
BIVea0Rrl0FM/lQsgpw6p1pCXFGp6VD0U7/HpuX5nmZTDDLYF573E3OX7SkOUift
LR339dRdAhTvTb+Q1mOtLIi1dgOp/VXZ7s0AFio6xNFlb0ykeDAg2gKTp9DMZoNG
rsmfI7jeWYAeZzeJOP58NmKiK+FG2zIqgyxBp6f6csYUKgsC0zas98bhJZXpZlZd
usrwsxSg5kwBozwkb1zjapOY46QiwLlb6OaZu6eETowx1yKF900RDHO6hSl24R52
sNQsRpF3kPGHxojwWlUtPxxwxyYQfRJkftDRWURix9SJNYGwS7vIU/An0s2s2uMZ
rgmFwumKGB4UTm7pDcGCoc5IjkCyrBrWA6D95HwT+R6u2QNIQIqXQaO9ekL+p57U
/JFn34QpEwjVlaMBSY1BPWP3y0QuHluNSF9zIguN8Px0J6/2Cs49ArzyBtsVEWA8
oHb0g925cw0wpBsMa5tz2TG8c0M6VdbfYsVLyTyL0+cr+oHcPV/q76KEsTtCfHyA
kYrAEsaLs48=
=HwlE
-----END PGP SIGNATURE-----
--C7zPtVaVf+AK4Oqc--
