North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]

  • From: Pekka Savola
  • Date: Mon Feb 25 08:11:14 2008

Changed the subject line a little...

On Mon, 25 Feb 2008, Hank Nussbacher wrote:
At 03:14 AM 25-02-08 -0500, Paul Wall wrote:
Results were planned to be presented at the next NANOG, but they
shouldn't be a surprise to anyone in the industry: nobody filters.

Incorrect. Some do filter and do it well. Problem is that it is in general a minority - many of which can be found here on NANOG.

In a lot of this dialogue, many say, "you should prefix filter". However, I'm not seeing how an ISP could easily adopt such filtering.

Let's consider the options:

 1) manually maintained prefix-filters.  OK for small ISPs or small
    users where the prefix churn is minimal.

 2) build the filters based on IRR data.  But which IRRs to use?
    some points here:

  a) only RIPE IRR uses a sensible security model [1], so if you use
     others, basically anyone can add route objects to the registry.
     How exactly would this model be useful?

  b) use your own IRR where you require your customers to add the
     route objects and verify that they're OK.  This means a lot of
     work for you and even more for your customers.

So, this is no excuse for not doing prefix filtering if you only do business in the RIPE region, but anywhere else the IRR data is pretty much useless, incorrect, or both.

(Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix filtered, based on RIPE IRR data (with one exception). IPv4 peers' advertisements seem to be too big a mess, and too long filters, to fix this way.)

[1] Joe Abley's explanation on SIDR list on 20 Jun 2007:

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings