Route leak in Bangladesh

Justin M. Streiner streiner at cluebyfour.org
Tue Jun 30 15:28:15 UTC 2015


On Tue, 30 Jun 2015, Sandra Murphy wrote:

> On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner at cluebyfour.org> wrote:
>> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) 
>> and your downstream customer ASNs.  Whether this is done manually, 
>> built using AS-SETs from your route registry of choice, or through some 
>> other automated means is another story.
>>
>
> That sort of AS_PATH filtering would not have helped in this case.  The 
> AS originated the routes, it did not propagate an upstream route.

I didn't realise they offending AS was originating those routes, rather 
than propagating the existing ones.

> So an AS_PATH filter to just its own AS would have passed these routes.

That's why I suggested it as a minimum precaution.  When I worked in the 
service provider world, we did prefix + AS-PATH filtering + max-prefix, 
which was pretty effective in keeping BGP-borne madness down to a dull 
roar.  Would that stop everything?  No, but it did help a lot.  I still 
work in a BGP-speaking organization - just not one that has downstream 
BGP-speaking customers at this point.

> You would need origin validation on your outbound routes.  Job 
> suggested prefix filters on outbound routes.  (If you are doing prefix 
> filters on your inbound customer links, it might be excessive caution to 
> also prefix filter customers prefixes on outbound links?  Or is it: you 
> can never be too careful, belt-and-suspenders, measure twice, etc?)

It depends on how much automation can be done to update the 
necessary filters and AS-PATH ACLs, and how much you trust both the 
automation method and the data source for those filters.

jms



More information about the NANOG mailing list