Customer sending blackhole route with another provider's AS

• Previous message (by thread): SD-NAP (San Diego) Internet Exchange?
• Next message (by thread): Customer sending blackhole route with another provider's AS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of our multihomed customers is set up with some type of security
system from another upstream that can announce blackhole routes for
targeted IPs.  They have a BGP policy to take those blackhole routes and
add our blackhole community string so that we can drop the traffic (and
we in turn translate to our transit providers).  All good.

However, it doesn't work, because the route the customer sends to us has
the other upstream's AS as the source, and we have AS path filtering on
our customer links.

Is this a typical setup?  Should we just accept the route(s) with
another provider's AS in the path?  That seems... unusual.  Our internal
blackhole system uses a private AS (so it can be stripped off before
sending to anyone else).

Just curious what others do... I always assumed AS path filtering to
customer (and their downstream customers) AS was a standard best
practice.

-- 
Chris Adams <cma at cmadams.net>

• Previous message (by thread): SD-NAP (San Diego) Internet Exchange?
• Next message (by thread): Customer sending blackhole route with another provider's AS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]