Home page logo
/

nanog logo nanog mailing list archives

Re: using IRR tools for BGP route filtering
From: John Fraizer <nanog () EnterZone Net>
Date: Fri, 23 Jun 2000 04:08:44 -0400 (EDT)


On Thu, 22 Jun 2000, Danny McPherson wrote:

I'll again site the www.cisco.com incident from a few months back.  
The announcement was originated from a large provider that performs 
prefix-based filtering on all customers.  I can speculate that your 
customers as well were affected by this.

-danny


OK, feasble or not to enforce, would it NOT be a good idea to incorporate
a "if you announce a network you shouldn't announce we ignore your ASN"
policy?

At the customer<->provider level, this is more likely since any provider
worth their salt should be prefix-list filtering customers.  At the
Provider<->Provider level, it becomes more political.  Noone wants to
blackhole a network (or themselfs from a network) because some network
engineer mistyped a network statement.  On the otherhand, if punative
damages, or blackholes to other networks were a definate effect of
announcing the wrong prefixes, perhaps some providers (you know who you
are!) would recruit NOC/Network Engineer staff at places other than the
local Mediaplay and McDonalds.


If providers were egress filtering properly, a simple typo in a network
statement wouldn't be able to take out someone elses network.  It would
require the same typo be made on a prefix-list as well.

If your network is so %^#&( large that one router can't deal with the
prefix-list for all the customers you have, perhaps instead of pushing
your stock price or showing $2B in profits, you should consider upgrading
the edges.

It appears to me, from recent events, that it has been that large
providers %^#ing up and allowing announcements through.  People,
announcements from ASN's behind yours are as much your responsibility as
those that bear only your ASN.  If your BGP speaking customers keep
%^&*ing up, filter their announcements and LOG the exceptions.  Contact
them and find out WHY they tried to announce 0/0 or whatever bonehead
prefix bounced off their filters.  If they can't figure it out, you have
four options:

1) Static route into them.
2) Demand exclusive enable access to their router(s)
3) Hope they subscribe to the clue-of-the-month club
4) Prepare to be embarrassed/sued when your customer announces the most
specific for a site that stands to lose $10,000's per hour.


While I'm ranting, customers, if you give up exclusive enable access, keep
tabs on what your provider is doing.  I know of one instance where a
provider charges a customer for bridging two sides of said providers
network.


Provider-East-Coast-Border<-->Provider-Core<-->Provider-West-Coast-Border
              ^                                            ^
              |-Customer DS3--|            |-Customer DS3--|
                              |- Cust rtr -|
                              

It seems that in the case described, provider core lost connectivity to
one of the coasts.  Since provider had exclusive enable access to the
customers router, they had set up on their OSPF backbone as an "oh shit" 
route.  When the provider core lost connectivity to one coast from the
other, they routed east coast to west coast, THROUGH the customer,
charging them for both inbound down one DS3 and outbound down the other. 


The moral of this story is:

Allow your provider to prefix-list/AS-PATH filter you.  Don't give them
exclusive enable access on your router.  ESPECIALLY when you have more
connectivity into them than they have to the rest of the world.


The other moral of this story is:

If you catch your provider doing this, GET ANOTHER PROVIDER!!!

The provider in question knows who they are and knows they were caught. 
(At least now they do)  I'm not sure what was more embarrassing for them; 
Being caught or having to do it in the first place. 

---
John Fraizer
EnterZone, Inc





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault