BGP route hijack by AS10990

• Previous message (by thread): BGP route hijack by AS10990
• Next message (by thread): BGP route hijack by AS10990
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Aug 1, 2020, at 11:14 , Hank Nussbacher <hank at interall.co.il> wrote:
> 
> On 01/08/2020 00:50, Mark Tinka wrote:
>> On 31/Jul/20 23:38, Sabri Berisha wrote:
>> 
>>> Kudos to Telia for admitting their mistakes, and fixing their processes.
>> Considering Telia's scope and "experience", that is one thing. But for
>> the general good of the Internet, the number of intended or
>> unintentional route hijacks in recent years, and all the noise that
>> rises on this and other lists each time we have such incidents (this
>> won't be the last), Telia should not have waited to be called out in
>> order to get this fixed.
>> 
>> Do we know if they are fixing this on just this customer of theirs, or
>> all their customers? I know this has been their filtering policy with us
>> (SEACOM) since 2014, as I pointed out earlier today. There has not been
>> a shortage of similar incidents between now and then, where the
>> community has consistently called for more deliberate and effective
>> route filtering across inter-AS arrangements.
>> 
>> 
> AS  level filtering is easy.  IP prefix level filtering is hard.  Especially when you are in the top 200:
> https://asrank.caida.org/ <https://asrank.caida.org/>
IP Prefix level filtering at backbone<->backbone connections is hard (and mostly pointless).

IP Prefix level filtering at the customer edge is not that hard, no matter how large of a transit
provider you are. Customer edge filtration by Telia in this case would have prevented this
problem from spreading beyond the misconfigured ASN.

> That being said, and due to these BGP "polluters" constantly doing the same thing, wouldn't an easy fix be to use the max-prefix/prefix-limit option:
> https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html <https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html>
> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html>
That’s a decent pair of suspenders to go with the belt of prefix filtration at the edge, but it’s no substitute.

> For every BGP peer,  the ISP determines what the current max-prefix currently is.  Then add in 2% and set the max-prefix. 
> An errant BGP polluter would then only have limited damage to the Internet routing table.
> Not the greatest solution, but easy to implement via a one line change on every BGP peer.

To the best of my knowledge, that’s already fairly common practice. It’s usually more like 10% (2% would require way
too much active change and create churn and risk).

Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200801/37d08c77/attachment.html>

• Previous message (by thread): BGP route hijack by AS10990
• Next message (by thread): BGP route hijack by AS10990
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]