[189955] in North American Network Operators' Group
Re: intra-AS messaging for route leak prevention
daemon@ATHENA.MIT.EDU (Mark Tinka)
Fri Jun 10 14:38:31 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org, Joe Provo <nanog-post@rsuc.gweep.net>
From: Mark Tinka <mark.tinka@seacom.mu>
Date: Fri, 10 Jun 2016 20:38:22 +0200
In-Reply-To: <20160610173459.GA58206@ussenterprise.ufp.org>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--QWilKFmPdbp2oUdMjGknlL7tEL2KRfSft
From: Mark Tinka <mark.tinka@seacom.mu>
To: nanog@nanog.org, Joe Provo <nanog-post@rsuc.gweep.net>
Message-ID: <8c107cc1-c29d-037b-1873-2c7f9a00fc7d@seacom.mu>
Subject: Re: intra-AS messaging for route leak prevention
References: <BL2PR09MB11234069E707505B417F29D6845C0@BL2PR09MB1123.namprd09.prod.outlook.com>
<20160606155418.GD35417@22.rev.meerval.net>
<4cd6ac15-add6-b1cf-e538-bf65202f6937@seacom.mu>
<BL2PR09MB11230F5B8B688CEF61F319A0845E0@BL2PR09MB1123.namprd09.prod.outlook.com>
<20160608124811.GA75603@gweep.net> <20160610085017.GF2524@Vurt.local>
<20160610173459.GA58206@ussenterprise.ufp.org>
In-Reply-To: <20160610173459.GA58206@ussenterprise.ufp.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 10/Jun/16 19:34, Leo Bicknell wrote:
> It does mean the provider creating the leak has already lost, but
> that doesn't mean it still isn't vital to protecting the larger
> internet. A good example of this is fire code. Most fire codes
> do not do much to prevent you from starting a fire in your own
> house/condo/apartment, but rather prevent it from spreading to your
> neighbors.
I've found communities to be robust at filtering very effectively.
I have heard of software issues that may cause filters to stop working,
but I have not yet encountered any such issues myself that had nothing
to do with a mis-configuration or lack of understanding about how
policies are evaluated by the router.
>
> For instance, if you filter Customer A to A's Prefix list on ingress,
> B to B's, C to C's, it may also be prudent to filter outbound to
> your peers based on A+B+C's prefix list. When the ingress filter
> to A fails (typo, bug, bad engineer), your own network is hosed by
> whatever junk A ingested, but at least you won't pass it on to peers
> and spoil the rest of the Internet.
That does not scale, and was probably one of the primary reasons
communities were developed.
>
> Basically both ingress and egress filtering have weaknesses, and
> in some cases doing both can provide some mitigation. It's the old
> adage "belt and suspenders".
We've been operating purely community-based filtering on border and
peering routers for years. I've never ran into an issue with the
software that broke that.
The folk I know who have suffered this either mis-configured their
policies, did not understand BGP and did not get a good handle on how
their router OS implements filtering and filter evaluation.
Mark.
--QWilKFmPdbp2oUdMjGknlL7tEL2KRfSft
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJXWwkfAAoJEGcZuYTeKm+GoP0P/is6DIHhB36kol5AtuKHLCPe
9b5tzg3ln/8mPVRJTBWeSfxKs/b121Apz7MnwUzb2U+cEn+685qZr4uWQ0tZyYuP
QBWNc2RvdPAEsNzv8cNJyNM3FpPSasfIq+7dKCjs2YbpNX3SqHSF9IA3gpbvCCYd
Dlk05BqCcSnvngfKJVbrTJRc9m++kR/WKsIp73IdhNE4ZUfnVDYcASKddbC9+eW4
Q/Csr7bwU6RoGUkzMStvUjchqfWC3VrdLBUDuDrvf0YvErJ9tdBlzPeJgA1LI1WD
FvMkBTBpcQPoulFXXsAGuS8e1hrbHyWo8MumIEkgMi0hsCT92w4Qptnagm8Mn5Yk
nwbFuwcG7C/jj5bA4UVogvW2MF/O0cMt5x6JDWSZS0D+q2N2PF6BKO6ZnlAcs3Dd
O8rWUij1lBs5cDT6U34YlU6E+4i3B9PQdnrmo2J/lnufpMzfZZ4scNwBqUBXcH+A
bZdXKM1oMxrsLazOgdxMmZhrSCfIB9Ky6u4Mri6hXYkgSfdBsoPJJnYn6SaL/RaW
6uLXcRXZLDzFx5MMwTbli2VhfL2a+hKIsBu5aoiY58ge3QbBH7SXGCH6aGHQVviP
InvG7wZGCZ+GhSyrjN6pRwh8cMvAYoEQuwa28EqMTYzjKWWDcGekhC//sfGjIDyi
nq7dxwyHcABTQSALeICG
=hGGu
-----END PGP SIGNATURE-----
--QWilKFmPdbp2oUdMjGknlL7tEL2KRfSft--
