Route leak in Bangladesh

Tue Jun 30 14:53:45 UTC 2015

On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner at cluebyfour.org> wrote:

> On Tue, 30 Jun 2015, Matsuzaki Yoshinobu wrote:
> 
>> Randy Bush <randy at psg.com> wrote
>>>> A friend in AS58587 confirmed that this was caused by a configuration
>>>> error - it seems like related to redistribution, and they already
>>>> fixed that.
>>> 
>>> 7007 all over again.  do not redistribute bgp into igp.  do not
>>> redistribute igp into bgp.
>> 
>> I also suggested them to implement BGP community based route filtering
>> in their outbound policy.  Any other suggestions or thoughts to
>> prevent such incidents in general?
> 
> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) and your downstream customer ASNs.  Whether this is done manually, built using AS-SETs from your route registry of choice, or through some other
> automated means is another story.
> 

That sort of AS_PATH filtering would not have helped in this case.  The AS originated the routes, it did not propagate an upstream route.

So an AS_PATH filter to just its own AS would have passed these routes.

You would need origin validation on your outbound routes.  Job suggested prefix filters on outbound routes.  (If you are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers prefixes on outbound links?  Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?)

--Sandy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150630/f0c831bf/attachment.sig>