North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]

  • From: Pekka Savola
  • Date: Mon Feb 25 14:26:02 2008

On Mon, 25 Feb 2008, Danny McPherson wrote:
(Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix filtered, based on RIPE IRR data (with one exception). IPv4 peers' advertisements seem to be too big a mess, and too long filters, to fix this way.)

Do you explicitly filter routes from your upstream or transit providers? E.g., if one were to announce, say, a more specific of one of your customer's routes to you would you accept it? What about someone else's address space?

Our own or our singlehomed customers' address space -- we would reject such an advertisement. The same inbound consistency check applies to peers and upstreams/transits.

If it's someone else's or a more specific or the same prefix as our multihomed customers -- we accept it. There isn't anything else we can do in practise which would not hurt legitimate routing..

It was extremely painful at times, even for us, if we wanted to
advertise new address space we had to update IRR objects and
wait on their nightly push of updated routing policies at ANS.  We
generated our own routing policies automatically off our IRR, which
mirrored others as well, and explicitly prefix filtered customers with
some fixed prefix and AS path-based policies applied to peers.  If it
became really urgent, then we'd call ANS and have them manually
update their policy, and subsequently 'bounce' the route
announcement to trigger transmission of a new update.

Sounds like a procedure that should be applied today (whether or not you want to use IRR and/or autogenerated configs is a matter of taste) but the principle seems sound.

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings