intra-AS messaging for route leak prevention
Sriram, Kotikalapudi (Fed)
kotikalapudi.sriram at nist.gov
Mon Jun 6 11:41:52 UTC 2016
I am a co-author on a route-leak detection/mitigation/prevention draft
in the IDR WG in the IETF:
https://tools.ietf.org/html/draft-ietf-idr-route-leak-detection-mitigation-03
Based on private conversations with a few major ISPs, the following
common practice for intra-AS messaging (using Community tagging in iBGP)
for prevention of route leaks is described in Section 3.2 of the draft:
<begin quote>
“Routes are tagged on ingress to an AS with communities for origin,
including the type of eBGP peer it was learned from (customer,
transit-provider or peer), geographic location, etc. The community
attributes are carried across the AS with the routes. Routes that
the AS originates directly are tagged with similar origin communities
when they are redistributed into BGP from static, IGP, etc. These
communities are used along with additional logic in route policies to
determine which routes are to be announced to which eBGP peers and
which are to be dropped. Route policy is applied to eBGP sessions
based on what set of routes they should receive (transit, full
routes, internal-only, default-only, etc.). In this process, the
ISP's AS also ensures that routes learned from a transit-provider or
a lateral peer (i.e. non-transit) at an ingress router are not leaked
at an egress router to another transit-provider or peer.
Additionally, in many cases, ISP network operators' outbound policies
require explicit matches for expected communities before passing
routes. This helps ensure that that if an update has made it into
the routing table (i.e. RIB) but has missed its ingress community
tagging (due to a missing/misapplied ingress policy), it will not be
inadvertently leaked.”
<end quote>
Question: Are there other means of conveying this information
in common use today (i.e. for prevention of route leaks)?
Also, the following publicly available references can be
possibly cited in support of the above:
https://www.nanog.org/meetings/nanog40/presentations/BGPcommunities.pdf
http://showipbgp.com/bgp-tools/bgp-community-list/91-level3-as3356.html
Pointers to any other relevant references would be very welcome as well.
Thank you.
Sriram
More information about the NANOG
mailing list