BGP filtering study resources (Was: CloudFlare issues?)

Job Snijders job at
Tue Jun 25 14:25:05 UTC 2019

Dear Stephen,

On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote:
> On 6/25/19 2:25 AM, Katie Holly wrote:
> > Disclaimer: As much as I dislike Cloudflare (I used to complain
> > about them a lot on Twitter), this is something I am absolutely
> > agreeing with them. Verizon failed to do the most basic of network
> > security, and it will happen again, and again, and again...
> I used to be a quality control engineer in my career, so I have a
> question to ask from the perspective of a QC guy:  what is the Best
> Practice for minimizing, if not totally preventing, this sort of
> problem?  Is there a "cookbook" answer to this?
> (I only run edge networks now, and don't have BGP to worry about.  If
> my current $dayjob goes away -- they all do -- I might have to get
> back into the BGP game, so this is not an idle query.)
> Somehow "just be careful and clueful" isn't the right answer.

Here are some resources which maybe can serve as a starting point for
anyone interested in the problem space:

presentation: Architecting robust routing policies

presentation: Practical Everyday BGP filtering "Peerlocking"

RFC 8212 ("EBGP default deny") and why we should ask our vendors like
Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be
compliant with this RFC:
slides 2-14:
skip to the rfc8212 part:
compliance tracker:

The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations
and testimonies:

Finally, there is the NLNOG BGP Filter Guide:
If you spot errors or have suggestions, please submit them via github

Please let me or the group know should you require further information,
I love talking about this topic ;-)

Kind regards,


More information about the NANOG mailing list