algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

Thu Feb 4 11:58:54 UTC 2016

Hi Martin

On Thu, 4 Feb 2016, Martin T wrote:

> am I correct that ISPs (in RIPE region), who update their BGP prefix
> filters automatically, ask their IP transit customer or peering
> partner to provide their "route"/"route6" object(s) or "as-set" object
> in order to find all the prefixes which they should accept?

This is a common practice to do. Both within and outside the RIPE region. 
For bigger networks, prefix lists become somewhat unwieldy, and one can 
then use as-path filters instead. Use a prefix limit with this.

Typically you use a tool (bgpq3) to generate the prefix lists.

> If the IP transit customer or peering partner provides an "as-set", then 
> ISP needs to ensure that this "as-set" belongs to this IP transit 
> customer or peering partner because there is no automatic authentication 
> for this, i.e. anybody can create an "as-set" object to database with 
> random "members" attributes?

I don't know the procedure for creating as-sets, maybe someone else can 
chip in.

> This is opposite to "route"/"route6" objects which follow a strict 
> authentication scheme.

I believe this differs depending on the irrd software/operator.

> In addition, in case of "as-set", an ISP needs to recursively find all 
> the AS numbers from "members" attributes because "as-set" can include 
> other "as-sets"?

Some irrd servers, can expand this automatically (I think). But seriously, 
use a tool for this.

> Quite a lot of question, but I would simply like to be sure that I 
> understand this correctly.

There are basically two abstractions:

1. as-set. Can contain other as-sets or as numbers.
2. prefixes are registered to an as-number.

Remember that there are multiple IRR servers, and they mirror each other.

Use http://irrexplorer.nlnog.net/ to play around a bit :-).

     Best regards, Henrik

  Henrik Thostrup Jensen <htj at nordu.net>
  Software Developer, NORDUnet