Home page logo

nanog logo nanog mailing list archives

Re: using IRR tools for BGP route filtering
From: Jessica Yu <jyy_99 () yahoo com>
Date: Fri, 23 Jun 2000 07:01:24 -0700 (PDT)

--- Danny McPherson <danny () tcb net> wrote:

I agree with this, and have seen the document, and
have worked for 
large providers that performed prefix filtering on
customers long
before IOPS existed.  

I know that some ISPs have been doing that but that is
not good enough. The key is to have EVERY ISP do it to
leave no 'holes' for bad routes to sneak in. And
that's the model suggested in the paper.

However, if every ISP performed prefix-based
filtering between one 
another, it'd be improved "a lot more".  I recall
more than a few 
instances when providers inadvertently broke other
providers customers 
by "mis-advertising" prefixes.  

Agree. The ideal situation is to filter on all
interface where external routes come in i.e. filter on
peers and customers. I used to work for an ISP (ANS)
who filtered all its peers and managed to
automatically generate router configurations including
huge no. of prefix filtering lines. It did help us to
dodge the disaster of AS7007 and other similar
incidents. However, it does introduce a lot more work.
Also, the toughest part is how often to update the
filtering list so no legitimate prefixes be blocked.

How big a filter list a router can handle in its
configuration is something needs to be investigated
since number of prefix lines will be huge for peer to
peer filtering.

In conclusion, the best is for ISPs to filter on peers
and customers. But if they can not do that for peers,
at least filter on customers. If all ISPs filter its
customers, it's already a big step forward.

And if every ISP performed SA verification between
one another 
(presumably with the same filters) it would again be
improved "a 
lot" more.



If every ISP does prefix based filtering on its
downstream customers, the integrity of the
routing system will be improved a lot. The
below proposes such a model:


Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]