algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters
Henrik Thostrup Jensen
htj at nordu.net
Thu Feb 4 11:58:54 UTC 2016
On Thu, 4 Feb 2016, Martin T wrote:
> am I correct that ISPs (in RIPE region), who update their BGP prefix
> filters automatically, ask their IP transit customer or peering
> partner to provide their "route"/"route6" object(s) or "as-set" object
> in order to find all the prefixes which they should accept?
This is a common practice to do. Both within and outside the RIPE region.
For bigger networks, prefix lists become somewhat unwieldy, and one can
then use as-path filters instead. Use a prefix limit with this.
Typically you use a tool (bgpq3) to generate the prefix lists.
> If the IP transit customer or peering partner provides an "as-set", then
> ISP needs to ensure that this "as-set" belongs to this IP transit
> customer or peering partner because there is no automatic authentication
> for this, i.e. anybody can create an "as-set" object to database with
> random "members" attributes?
I don't know the procedure for creating as-sets, maybe someone else can
> This is opposite to "route"/"route6" objects which follow a strict
> authentication scheme.
I believe this differs depending on the irrd software/operator.
> In addition, in case of "as-set", an ISP needs to recursively find all
> the AS numbers from "members" attributes because "as-set" can include
> other "as-sets"?
Some irrd servers, can expand this automatically (I think). But seriously,
use a tool for this.
> Quite a lot of question, but I would simply like to be sure that I
> understand this correctly.
There are basically two abstractions:
1. as-set. Can contain other as-sets or as numbers.
2. prefixes are registered to an as-number.
Remember that there are multiple IRR servers, and they mirror each other.
Use http://irrexplorer.nlnog.net/ to play around a bit :-).
Best regards, Henrik
Henrik Thostrup Jensen <htj at nordu.net>
Software Developer, NORDUnet
More information about the NANOG