BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]
Pekka Savola
pekkas at netcore.fi
Mon Feb 25 19:19:19 UTC 2008
On Mon, 25 Feb 2008, Danny McPherson wrote:
>> (Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix
>> filtered, based on RIPE IRR data (with one exception). IPv4 peers'
>> advertisements seem to be too big a mess, and too long filters, to fix this
>> way.)
>
> Do you explicitly filter routes from your upstream or transit providers?
> E.g., if one were to announce, say, a more specific of one of your
> customer's routes to you would you accept it? What about someone
> else's address space?
Our own or our singlehomed customers' address space -- we would reject
such an advertisement. The same inbound consistency check applies to
peers and upstreams/transits.
If it's someone else's or a more specific or the same prefix as our
multihomed customers -- we accept it. There isn't anything else we
can do in practise which would not hurt legitimate routing..
> It was extremely painful at times, even for us, if we wanted to
> advertise new address space we had to update IRR objects and
> wait on their nightly push of updated routing policies at ANS. We
> generated our own routing policies automatically off our IRR, which
> mirrored others as well, and explicitly prefix filtered customers with
> some fixed prefix and AS path-based policies applied to peers. If it
> became really urgent, then we'd call ANS and have them manually
> update their policy, and subsequently 'bounce' the route
> announcement to trigger transmission of a new update.
Sounds like a procedure that should be applied today (whether or not
you want to use IRR and/or autogenerated configs is a matter of taste)
but the principle seems sound.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list