[58495] in North American Network Operators' Group
Re: BGP Path Filtering
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Fri May 16 09:47:00 2003
Date: Fri, 16 May 2003 09:44:28 -0400
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <004801c31b52$f4994720$086df640@amplex.net>
Errors-To: owner-nanog-outgoing@merit.edu
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, May 15, 2003 at 10:29:18PM -0400, Mark Radabau=
gh wrote:
> I'm having a hard time finding best practices for filtering outbound bgp
> announcements when providing transit to bgp-speaking customers. While we
> currently multi-home to several providers it appears we will soon need to
> provide transit for customers with their own AS's.
I strongly recomend you prefix list filter your customers, rather
than AS path filter them. While AS path filters to prevent some
kinds of abuse and accidental mistake, they still allow your customer
to hijack any address space in your network (and possibly beyond)
at any time.
> ip as-path access-list 3 permit ^12345$
>=20
> but I think this breaks if AS12345 prepends their advertisement.
Probably you want something more like:
ip as-path access-list 3 permit ^(12345_)+$
ip as-path access-list 3 permit ^(12345_)+(6789_)+$
Giving both the customer, and customer with a customer case. That is
both specific, and allows for prepends. Your example has a couple of
problems:
> ip as-path access-list 3 permit ^12345_[0-9]$*
First, it's not a valid regex ($* need to be *$), second, it allows any
(single) AS behind 12345, so it's hardly a useful filter.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
--bg08WKrSYDhXBjb5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+xOs8Nh6mMG5yMTYRAq6yAJ0TR57jd0k+PvijFpQOHmlpwJ7Y+QCeI/xc
7p8s/MCEeXdXgE42duEOfBQ=
=Hnje
-----END PGP SIGNATURE-----
--bg08WKrSYDhXBjb5--
