Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

Ca By cb.list6 at gmail.com
Sun Aug 2 20:06:52 UTC 2020


On Sun, Aug 2, 2020 at 9:36 AM Robert Raszuk <robert at raszuk.net> wrote:

> Hi Ca,
>
> > Noction is sold to ISPs, aka transit AS, afaik
>
> Interesting.
>
> My impression always was by talking to Noction some time back that mainly
> what they do is a flavor of performance routing.  But this is not about
> Noction IMHO.
>
> If I am a non transit ASN with N upstream ISPs I want to exit not in a hot
> potato style ... if I care about my services I want to exit the best
> performing way to reach back customers. That's btw what Cisco PFR does or
> Google's Espresso or Facebook Edge Fabric etc ...
>
> And you have few vendors offering this as well as bunch of home grown
> tools attempting to do the same. Go and mandate that all of them will do
> NO-EXPORT if they insert any routes ... And we will see more and more of
> those type of tools coming.
>
> Sure we have implementations with obligatory policy on eBGP - cool. And
> yes we have match "ANY" too.
>
> So if your feedback is that to limit the iBGP routes to go out over eBGP
> this is all sufficient and we do not need a bit more protection there then
> case solved.
>
> Cheers,
> R.
>
>
My feedback is the local_pref is complete for this behavior of setting an
outbound, including being non-transitive

FB uses local-pref for this afaik
https://research.fb.com/blog/2017/08/steering-oceans-of-content-to-the-world/


>
> On Sun, Aug 2, 2020 at 4:42 PM Ca By <cb.list6 at gmail.com> wrote:
>
>>
>>
>> On Sun, Aug 2, 2020 at 4:34 AM Robert Raszuk <robert at raszuk.net> wrote:
>>
>>> All,
>>>
>>> Watching this thread with interest got an idea - let me run it by this
>>> list before taking it any further (ie. to IETF).
>>>
>>> How about we learn from this and try to make BGP just a little bit safer
>>> ?
>>>
>>> *Idea: *
>>>
>>> In all stub (non transit) ASNs we modify BGP spec and disable automatic
>>> iBGP to eBGP advertisement ?
>>>
>>
>> Why do you believe a stub AS was involved or that would have changed this
>> situation?
>>
>> The whole point of Noction is for a bad isp to fake more specific routes
>> to downstream customers.  Noction is sold to ISPs, aka transit AS, afaik
>>
>>
>>
>>> *Implementation: *
>>>
>>> Vendors to allow to define as part of global bgp configuration if
>>> given ASN is transit or not. The default is to be discussed - no bias.
>>>
>>
>> Oh. A configuration knob. Noction had knobs, the world runs of 5 year old
>> software with default configs.
>>
>>
>>> *Benefit: *
>>>
>>> Without any issues anyone playing any tools in his network will be able
>>> to just issue one cli
>>>
>>
>> Thanks for no pretending we configure our networks with yang model apis
>>
>> and be protected from accidentally hurting others. Yet naturally he will
>>> still be able to advertise his neworks just as today except by explicit
>>> policy in any shape and form we would find proper (example:
>>> "redistribute iBGP to eBGP policy-X").
>>>
>>
>> XR rolls this way today, thanks Cisco. But the “any” keyword exists, so
>> yolo.
>>
>>
>>> We could even discuss if this should be perhaps part of BGP OPEN or BGP
>>> capabilities too such that two sides of eBGP session must agree with each
>>> other before bringing eBGP up.
>>>
>>> Comments, questions, flames - all welcome :)
>>>
>>> Cheers,
>>> Robert.
>>>
>>> PS. Such a definition sure can and likely will be misused (especially if
>>> we would just settle on only a single side setting it - but that will not
>>> cause any more harm as not having it at all.
>>>
>>> Moreover I can already see few other good options which BGP
>>> implementation or BGP spec can be augmented with once we know we are stub
>>> or for that matter once it knows it is transit ....
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200802/fca5a44b/attachment.html>


More information about the NANOG mailing list