|
Thread Index Re: [isp-bgp] filtering pratice
Daniel Schild wrote: (Caveat: I have only transit providers and transit customers, no "peers" in the sense of swapping local and customer routes.)I'm just about to peer with another isp, and now i'm wondering what's the best filtering pratice when it comes to peering. Do i just allow everything from the other isp, hoping that they don't mess up? the most important thing is to have some kind of control of what routes they give us, since we don't want to end up with them giving us a full table or something like that. The first thing i can think of is filtering on as-path, but i know they have other customers with their own asns. Of course i could always filter on the as + 1, but i just want to hear about what the most common pratice in this case is. Also, they have a couple of ip blocks, so we don't want to filter on their blocks (if we do, we also have to know if anything changes). Also, i don't know if any of their customers as's have customers with their own asns, and so on (probably not very likely). So, how much do you people filter from your peers? The right thing would be to filter on {prefix, AS path}, though maintaining prefix lists for more than a few AS paths wouldn't scale well. The next best thing would be to filter on prefix list only. You're still vulnerable to blackholes then, if the peer accidentally sources any of those prefixes when they don't actually have reachability to the origin. At NANOG34, one of the presentations discussed the impact and possible corrective steps for a major route leak last December. AS9121 leaked 101k routes as though they were the origin AS. Many of these were accepted as best path (shortest AS path wins!), either because there was cushion between the max-prefix limit and the actual prefixes prior to the event, or because the prefix list did allow those routes but (obviously; it's a prefix list) wasn't checking the origin AS as well. During that discussion, Jared Mauch from Verio mentioned that they strictly prefix-list filter ALL BGP sessions. This has resulted in some router configs that are 8MB in size (they're all Juniper, I think). They use a route registry to AUTOMATICALLY build their prefix lists and update their routers nightly. There are open-source tools to do this, but I haven't mastered them yet (or I'd start doing the same thing). Personally, I'd recommend prefix-list filters on all customers and peers, period. pt To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. Copyright 2005 Jupitermedia Corporation All Rights Reserved.
Thread Index |
|
