Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
Robert Raszuk
robert at raszuk.net
Sun Aug 2 11:33:36 UTC 2020
All,
Watching this thread with interest got an idea - let me run it by this list
before taking it any further (ie. to IETF).
How about we learn from this and try to make BGP just a little bit safer ?
*Idea: *
In all stub (non transit) ASNs we modify BGP spec and disable automatic
iBGP to eBGP advertisement ?
*Implementation: *
Vendors to allow to define as part of global bgp configuration if given ASN
is transit or not. The default is to be discussed - no bias.
*Benefit: *
Without any issues anyone playing any tools in his network will be able to
just issue one cli and be protected from accidentally hurting others. Yet
naturally he will still be able to advertise his neworks just as today
except by explicit policy in any shape and form we would find proper
(example: "redistribute iBGP to eBGP policy-X").
We could even discuss if this should be perhaps part of BGP OPEN or BGP
capabilities too such that two sides of eBGP session must agree with each
other before bringing eBGP up.
Comments, questions, flames - all welcome :)
Cheers,
Robert.
PS. Such a definition sure can and likely will be misused (especially if we
would just settle on only a single side setting it - but that will not
cause any more harm as not having it at all.
Moreover I can already see few other good options which BGP implementation
or BGP spec can be augmented with once we know we are stub or for that
matter once it knows it is transit ....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200802/2dfc2165/attachment.html>
More information about the NANOG
mailing list