Route leak in Bangladesh
Justin M. Streiner
streiner at cluebyfour.org
Tue Jun 30 15:28:15 UTC 2015
On Tue, 30 Jun 2015, Sandra Murphy wrote:
> On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner at cluebyfour.org> wrote:
>> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s)
>> and your downstream customer ASNs. Whether this is done manually,
>> built using AS-SETs from your route registry of choice, or through some
>> other automated means is another story.
>>
>
> That sort of AS_PATH filtering would not have helped in this case. The
> AS originated the routes, it did not propagate an upstream route.
I didn't realise they offending AS was originating those routes, rather
than propagating the existing ones.
> So an AS_PATH filter to just its own AS would have passed these routes.
That's why I suggested it as a minimum precaution. When I worked in the
service provider world, we did prefix + AS-PATH filtering + max-prefix,
which was pretty effective in keeping BGP-borne madness down to a dull
roar. Would that stop everything? No, but it did help a lot. I still
work in a BGP-speaking organization - just not one that has downstream
BGP-speaking customers at this point.
> You would need origin validation on your outbound routes. Job
> suggested prefix filters on outbound routes. (If you are doing prefix
> filters on your inbound customer links, it might be excessive caution to
> also prefix filter customers prefixes on outbound links? Or is it: you
> can never be too careful, belt-and-suspenders, measure twice, etc?)
It depends on how much automation can be done to update the
necessary filters and AS-PATH ACLs, and how much you trust both the
automation method and the data source for those filters.
jms
More information about the NANOG
mailing list