Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't think there's any requirement for it to be for downstream customers (from a BGP perspective) or any relatance to transit ASes. 




Web hosting companies, their AS, no client ASes, huge optimization going on. I'd think mostly because the major eyeball ISPs have garbage peering policies and like to run their ports hot to force you to buy their transit\DIA. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Ca By" <cb.list6 at gmail.com> 
To: "Robert Raszuk" <robert at raszuk.net> 
Cc: nanog at nanog.org 
Sent: Sunday, August 2, 2020 9:42:12 AM 
Subject: Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) 







On Sun, Aug 2, 2020 at 4:34 AM Robert Raszuk < robert at raszuk.net > wrote: 




All, 


Watching this thread with interest got an idea - let me run it by this list before taking it any further (ie. to IETF). 


How about we learn from this and try to make BGP just a little bit safer ? 


Idea: 


In all stub (non transit) ASNs we modify BGP spec and disable automatic iBGP to eBGP advertisement ? 





Why do you believe a stub AS was involved or that would have changed this situation? 


The whole point of Noction is for a bad isp to fake more specific routes to downstream customers. Noction is sold to ISPs, aka transit AS, afaik 




<blockquote>




Implementation: 


Vendors to allow to define as part of global bgp configuration if given ASN is transit or not. The default is to be discussed - no bias. 
</blockquote>



Oh. A configuration knob. Noction had knobs, the world runs of 5 year old software with default configs. 


<blockquote>





Benefit: 


Without any issues anyone playing any tools in his network will be able to just issue one cli 
</blockquote>



Thanks for no pretending we configure our networks with yang model apis 


<blockquote>


and be protected from accidentally hurting others. Yet naturally he will still be able to advertise his neworks just as today except by explicit policy in any shape and form we would find proper (example: "redistribute iBGP to eBGP policy-X"). 

</blockquote>



XR rolls this way today, thanks Cisco. But the “any” keyword exists, so yolo. 


<blockquote>





We could even discuss if this should be perhaps part of BGP OPEN or BGP capabilities too such that two sides of eBGP session must agree with each other before bringing eBGP up. 



Comments, questions, flames - all welcome :) 



Cheers, 
Robert. 

PS. Such a definition sure can and likely will be misused (especially if we would just settle on only a single side setting it - but that will not cause any more harm as not having it at all. 


Moreover I can already see few other good options which BGP implementation or BGP spec can be augmented with once we know we are stub or for that matter once it knows it is transit .... 



<blockquote>

</blockquote>

</blockquote>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200802/14269b16/attachment.html>

• Previous message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Next message (by thread): Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]