Route leak in Bangladesh

• Previous message (by thread): leap second outage
• Next message (by thread): Route leak in Bangladesh
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 30/Jun/15 16:53, Sandra Murphy wrote:
>
>
>
> That sort of AS_PATH filtering would not have helped in this case. 
The AS originated the routes, it did not propagate an upstream route.
>
> So an AS_PATH filter to just its own AS would have passed these routes.
>
> You would need origin validation on your outbound routes.  Job
suggested prefix filters on outbound routes.  (If you are doing prefix
filters on your inbound customer links, it might be excessive caution to
also prefix filter customers prefixes on outbound links?  Or is it: you
can never be too careful, belt-and-suspenders, measure twice, etc?)

Assuming you're running the same hardware/software across your backbone,
correct prefix filters on inbound sessions to downstreams should be just
fine. If those break, it's likely whatever broke them would also break
them on egress to your upstreams and peers.

The problem with egress prefix filters to upstreams and peers is that
it's simply not scalable. Assuming you have a uniform routing policy
where neighbors are all treated as eBGP sessions, then there is no real
difference between upstreams, peers and other customers. Imagine having
to build outbound prefix filters across your entire backbone for a
uniform eBGP routing policy.

Mark.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJVk4b7AAoJEGcZuYTeKm+GjPkP/1vEnL7mh0alWw+p6xCScUyH
NxTYOYg1eBYUWQnGIWc+UTfZzKyr/LYbNyBF2Msf1aeNBOEb6kIY2geHUIGhOAZv
DYIzggbvwWvd3X92aV76m3Nm8+z6nkDxnhYWgfefcXMofNTgHhQNKgsFp0efdDhA
Mru60Cwi87apBLwY9wKYGqDtIgncKjLj92GfggimD7iwidvHZBXpKLIvPBE8sg9p
aA/P9QqV2ZpVwoTtZy1Kb7B0FBogQFhPJX9RbWQUm0WwCuqMc8C7SibQMoF6hN0k
rTuex7F4iPxTdvAcex/rRzIrQnDArIrMGkdOq3liQ8RG5d93Rara4NA9BgT6+ja/
idQ88lXjlBwzEEBh6k44Kg9Q686K503PK+hR8WrvETfojN8C4uD4WhUuqh3m2EPW
UwJiZ8YD8oWQhLYpjdq/Rl7ozwu2ogi/ko69XuImi7f8OWscHD6QURoC0hONgLqF
Rq7UgNcnOekUbTA+eP7ANFwKXNO+o9tomZ1tpmZqhNF5LLvazQFETcpEO2huQiON
2apxUiLWp3o8qCYKlvfUvREeF7fXaosgjXviWkjbdZc0v6hNjpd+M2uFPTz9CDgx
PF9R+MzCu9C+gcfZRv4veY/ZFMxNxTNhOxppx69uyTG9+XCRXb5evjoV3VZPi/Qx
RPUZQ1Ekzl0gAE7D4US6
=VZEA
-----END PGP SIGNATURE-----

• Previous message (by thread): leap second outage
• Next message (by thread): Route leak in Bangladesh
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]