BGP prefix filter list

Mike Hammett nanog at ics-il.net
Fri May 24 17:28:42 UTC 2019 

If networks are going to make unconventional announcements, I'm not concerned if they suffer because of it. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Sabri Berisha" <sabri at cluecentral.net> 
To: "Ross Tajvar" <ross at tajvar.io> 
Cc: "nanog" <nanog at nanog.org> 
Sent: Friday, May 24, 2019 12:03:52 PM 
Subject: Re: BGP prefix filter list 



Hi, 


They can, but they don't necessarily have to. In the example I mentioned, there was a private peering between them. Well, until very recently. My point being that it's not always black and white, and sometimes deaggregation is necessary for operational purposes. 


That's not to excuse lazy operators of course. 


Thanks, 

Sabri 


----- On May 22, 2019, at 11:23 AM, Ross Tajvar <ross at tajvar.io> wrote: 




In that case shouldn't each company advertise a /21? 


On Wed, May 22, 2019, 1:11 PM Sabri Berisha < sabri at cluecentral.net > wrote: 

<blockquote>



Hi, 

One legitimate reason is the split of companies. In some cases, IP space needs to be divided up. For example, company A splits up in AA and AB, and has a /20. Company AA may advertise the /20, while the new AB may advertise the top or bottom /21. I know of at least one worldwide e-commerce company that is in that situation. 

Thanks, 

Sabri 


----- On May 22, 2019, at 9:40 AM, Tom Beecher <beecher at beecher.cc> wrote: 


<blockquote>

There are sometimes legitimate reasons to have a covering aggregate with some more specific announcements. Certainly there's a lot of cleanup that many should do in this area, but it might not be the best approach to this issue. 


On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < alejandroacostaalamo at gmail.com > wrote: 

<blockquote>

On 5/20/19 7:26 PM, John Kristoff wrote: 
> On Mon, 20 May 2019 23:09:02 +0000 
> Seth Mattinen < sethm at rollernet.us > wrote: 
> 
>> A good start would be killing any /24 announcement where a covering 
>> aggregate exists. 
> I wouldn't do this as a general rule. If an attacker knows networks are 
> 1) not pointing default, 2) dropping /24's, 3) not validating the 
> aggregates, and 4) no actual legitimate aggregate exists, (all 
> reasonable assumptions so far for many /24's), then they have a pretty 
> good opportunity to capture that traffic. 


+1 John 

Seth approach could be an option _only_ if prefix has an aggregate 
exists && as origin are the same 


> John 



</blockquote>

</blockquote>


</blockquote>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190524/b0c57dbe/attachment.html>

More information about the NANOG mailing list