BGP prefix filter list

Sabri Berisha sabri at cluecentral.net
Fri May 24 17:03:52 UTC 2019


Hi, 

They can, but they don't necessarily have to. In the example I mentioned, there was a private peering between them. Well, until very recently. My point being that it's not always black and white, and sometimes deaggregation is necessary for operational purposes. 

That's not to excuse lazy operators of course. 

Thanks, 

Sabri 

----- On May 22, 2019, at 11:23 AM, Ross Tajvar <ross at tajvar.io> wrote: 

> In that case shouldn't each company advertise a /21?

> On Wed, May 22, 2019, 1:11 PM Sabri Berisha < [ mailto:sabri at cluecentral.net |
> sabri at cluecentral.net ] > wrote:

>> Hi,

>> One legitimate reason is the split of companies. In some cases, IP space needs
>> to be divided up. For example, company A splits up in AA and AB, and has a /20.
>> Company AA may advertise the /20, while the new AB may advertise the top or
>> bottom /21. I know of at least one worldwide e-commerce company that is in that
>> situation.

>> Thanks,

>> Sabri

>> ----- On May 22, 2019, at 9:40 AM, Tom Beecher <beecher at beecher.cc> wrote:

>>> There are sometimes legitimate reasons to have a covering aggregate with some
>>> more specific announcements. Certainly there's a lot of cleanup that many
>>> should do in this area, but it might not be the best approach to this issue.

>>> On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < [
>>> mailto:alejandroacostaalamo at gmail.com | alejandroacostaalamo at gmail.com ] >
>>> wrote:

>>>> On 5/20/19 7:26 PM, John Kristoff wrote:
>>>> > On Mon, 20 May 2019 23:09:02 +0000
>>>> > Seth Mattinen < [ mailto:sethm at rollernet.us | sethm at rollernet.us ] > wrote:

>>>> >> A good start would be killing any /24 announcement where a covering
>>>> >> aggregate exists.
>>>> > I wouldn't do this as a general rule. If an attacker knows networks are
>>>> > 1) not pointing default, 2) dropping /24's, 3) not validating the
>>>> > aggregates, and 4) no actual legitimate aggregate exists, (all
>>>> > reasonable assumptions so far for many /24's), then they have a pretty
>>>> > good opportunity to capture that traffic.

>>>> +1 John

>>>> Seth approach could be an option _only_ if prefix has an aggregate
>>>> exists && as origin are the same

>>>> > John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190524/64311b3e/attachment.html>


More information about the NANOG mailing list