BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]
Pekka Savola
pekkas at netcore.fi
Mon Feb 25 13:08:34 UTC 2008
Changed the subject line a little...
On Mon, 25 Feb 2008, Hank Nussbacher wrote:
> At 03:14 AM 25-02-08 -0500, Paul Wall wrote:
>> Results were planned to be presented at the next NANOG, but they
>> shouldn't be a surprise to anyone in the industry: nobody filters.
>
> Incorrect. Some do filter and do it well. Problem is that it is in general
> a minority - many of which can be found here on NANOG.
In a lot of this dialogue, many say, "you should prefix filter".
However, I'm not seeing how an ISP could easily adopt such filtering.
Let's consider the options:
1) manually maintained prefix-filters. OK for small ISPs or small
users where the prefix churn is minimal.
2) build the filters based on IRR data. But which IRRs to use?
some points here:
a) only RIPE IRR uses a sensible security model [1], so if you use
others, basically anyone can add route objects to the registry.
How exactly would this model be useful?
b) use your own IRR where you require your customers to add the
route objects and verify that they're OK. This means a lot of
work for you and even more for your customers.
So, this is no excuse for not doing prefix filtering if you only do
business in the RIPE region, but anywhere else the IRR data is pretty
much useless, incorrect, or both.
(Yeah, we prefix filter all our customers. Our IPv6 peers are also
prefix filtered, based on RIPE IRR data (with one exception). IPv4
peers' advertisements seem to be too big a mess, and too long filters,
to fix this way.)
[1] Joe Abley's explanation on SIDR list on 20 Jun 2007:
http://www.ietf.org/mail-archive/web/sidr/current/msg00201.html
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list