More specifics from AS18978
job at instituut.net
Fri Mar 27 10:03:53 UTC 2015
On Thu, Mar 26, 2015 at 11:26:07PM -0400, ML wrote:
> On 3/26/2015 6:20 PM, Nick Rose wrote:
> >While investigating the issue we did find that the noction appliance
> >stopped advertising the no export community string with its
> >advertisements which is why certain prefixes were also seen.
> Wouldn't it be a BCP to set no-export from the Noction device too?
Sure, but even that might not always prevent the fake paths from leaking
to your eBGP neighbors. For instance, not too long ago there was this
"Routes learned with the no-export community from an iBGP neighbor
are being advertised to eBGP neighbors. This may occur on Cisco ASR
9000 Series Aggregation Services Routers." (don't remember BugID)
In other words: it can happen to the best of us.
You should not lie to yourself by inserting fake more-specific paths
into routing tables. The moment your lies somehow manage to escape into
the default-free-zone you are taking other businesses down. Whether the
leak is caused by a bug in the router's software or human error,
destroying other people's online presence is far beyond acceptable.
If the same leak would've happened /without/ the fake more-specifics,
it'd still be an issue, but the collateral damage would have been
dampened. The leaked paths would have to compete with the normal paths
and best-path selectors like as-path length apply.
Using software to insert fake more-specific paths into your routing
domain should be discouraged and frowned upon.
More information about the NANOG