Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/Aug/20 18:58, Job Snijders wrote:

> Following a large scale BGP incident in March 2015, noction made it
> possible to optionally set the well-known NO_EXPORT community on route
> advertisements originated by IRP instances.
>
>     "In order to further reduce the likelihood of these problems
>     occurring in the future, we will be adding a feature within Noction
>     IRP to give an option to tag all the more specific prefixes that it
>     generates with the BGP NO_EXPORT community. This will not be enabled
>     by default [snip]"
>     https://www.noction.com/blog/route-optimizers
>     Mar 27, 2015
>
> Due to NO_EXPORT not being set in the default configuration, there are
> probably if not certainly many unsuspecting network engineers who end up
> deploying this software - without ever even considering - to change that
> one setting in the configuration.
>
> Fast forward a few years and a few incidents, on the topic of default
> settings, following the Cloudflare/DQE/Verizon incident:
>
>     "We do have no export community support and have done for many
>     years. The use of more specifics is also optional. Neither replaces
>     the need for filters."
>     https://twitter.com/noction/status/1143177562191011840
>     Jun 24, 2019
>
> Community members responded:
>
>     "Noction have been facilitating Internet outages for years and
>     years and the best thing they can say in response is that it is
>     technically possible to use their product responsibly, they just
>     don't ship it that way."
>     https://twitter.com/PowerDNS_Bert/status/1143252745257979905
>     June 24, 2019
>
> Last year Noction stated:
>
>     "Nobody found this leak pleasant."
>     https://www.noction.com/news/incident-response
>     June 26, 2019
>
> Sentiment we all can agree with, change is needed!
>
> As far as I know, Noction IRP is the ONLY commercially available
> off-the-shelf BGP route manipulation software which - as default - does
> NOT set the BGP well-known NO_EXPORT community on the product's route
> advertisements. This is a product design decision which causes
> collateral damage.
>
> I would like to urge Noction to reconsider their position. Seek to
> migrate the existing users to use NO_EXPORT, and release a new version
> of the IRP software which sets NO_EXPORT BY DEFAULT on all generated
> routes.

A great first step!

Mark.

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]