Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Aug 2, 2020 at 4:34 AM Robert Raszuk <robert at raszuk.net> wrote:

> All,
>
> Watching this thread with interest got an idea - let me run it by this
> list before taking it any further (ie. to IETF).
>
> How about we learn from this and try to make BGP just a little bit safer ?
>
> *Idea: *
>
> In all stub (non transit) ASNs we modify BGP spec and disable automatic
> iBGP to eBGP advertisement ?
>

Why do you believe a stub AS was involved or that would have changed this
situation?

The whole point of Noction is for a bad isp to fake more specific routes to
downstream customers.  Noction is sold to ISPs, aka transit AS, afaik



> *Implementation: *
>
> Vendors to allow to define as part of global bgp configuration if
> given ASN is transit or not. The default is to be discussed - no bias.
>

Oh. A configuration knob. Noction had knobs, the world runs of 5 year old
software with default configs.


> *Benefit: *
>
> Without any issues anyone playing any tools in his network will be able to
> just issue one cli
>

Thanks for no pretending we configure our networks with yang model apis

and be protected from accidentally hurting others. Yet naturally he will
> still be able to advertise his neworks just as today except by explicit
> policy in any shape and form we would find proper (example:
> "redistribute iBGP to eBGP policy-X").
>

XR rolls this way today, thanks Cisco. But the “any” keyword exists, so
yolo.


> We could even discuss if this should be perhaps part of BGP OPEN or BGP
> capabilities too such that two sides of eBGP session must agree with each
> other before bringing eBGP up.
>
> Comments, questions, flames - all welcome :)
>
> Cheers,
> Robert.
>
> PS. Such a definition sure can and likely will be misused (especially if
> we would just settle on only a single side setting it - but that will not
> cause any more harm as not having it at all.
>
> Moreover I can already see few other good options which BGP implementation
> or BGP spec can be augmented with once we know we are stub or for that
> matter once it knows it is transit ....
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200802/72235492/attachment.html>

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]