Strict route filtering at IX?

Peter Ehiwe peterehiwe at gmail.com
Wed Dec 12 12:08:16 UTC 2012


I use a mixture of BGP communities  and prefix lists and it scales very
well for me .

Rgds Peter,
Sent from my Asus  Transformer Pad
On Dec 12, 2012 3:24 AM, "Dan Luedtke" <mail at danrl.de> wrote:

> Hi NANOGers,
>
> tl;dr What is the best practice for filtering a large number of
> prefixes at an internet exchange?
>
> Yesterday I ran into problems while writing new filtering rules for
> my peerings at a local Exchange. My workflow probably has a flaw,
> although it works fine for IPv6 (well, less prefixes there).
>
> After the physical link was set up I startet a BGP session with the
> route server of the exchange. A few minutes later some other AS
> imported my prefix, e.g. those listed at HE[1]. I guess they filtered
> "less strict" :)
> The next day the exchange's route server administrator added my AS-SET
> to the AS-SET of the route server.
>
> --- snip RIPE DB ---
> as-set:         AS-KLEYREX-RS1
> descr:          KleyReX Internet Exchange Frankfurt
> [...]
> members:        AS-NONATTACHED
> --- snap ---
>
> A few days have passed since then but the number of peers has not
> increased as expected. Is this normal?
> My mp-* entries look like this:
>
> --- snip RIPE DB ---
> aut-num:        AS57821
> as-name:        NONATTACHED-AS
> [...]
> mp-import:      afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1
> mp-export:      afi ipv4.unicast to AS31142 announce AS-NONATTACHED
> --- snap ---
>
> Yesterday I thought about importing the route servers prefixes and, of
> course, to filter them. Using rtconfig[2] I created a filter for BIRD[3]
> like this:
>
> --- snip bird.conf ---
> if (prefix_too_long()) then reject;
> @rtconfig printPrefixes "if (net ~ [ %p/%l+ ]) then accept;\n" filter
> AS-KLEYREX-RS1 reject;
> --- snap ---
>
> This takes about 10-20 minutes and results in an very large config file
> constiting of hundreds of prefixes in IPv4. The same config file for
> IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so
> I need to filter it somehow. BIRD sometimes segfaults when it is
> advised to read those large filters.
>
> So, here's the question: How do you filter at exchanges?
> Where is the error in my workflow?
> Is strict route filtering a myth?
>
>
> Thanks for helping!
>
>
> Dan
>
> [1] http://bgp.he.net/AS57821#_peers
> [2] http://irrtoolset.isc.org/wiki/RtConfig
> [3] http://bird.network.cz
>
>


More information about the NANOG mailing list