Home page logo
/

nanog logo nanog mailing list archives

Re: Strict route filtering at IX?
From: Peter Ehiwe <peterehiwe () gmail com>
Date: Wed, 12 Dec 2012 13:08:16 +0100

I use a mixture of BGP communities  and prefix lists and it scales very
well for me .

Rgds Peter,
Sent from my Asus  Transformer Pad
On Dec 12, 2012 3:24 AM, "Dan Luedtke" <mail () danrl de> wrote:

Hi NANOGers,

tl;dr What is the best practice for filtering a large number of
prefixes at an internet exchange?

Yesterday I ran into problems while writing new filtering rules for
my peerings at a local Exchange. My workflow probably has a flaw,
although it works fine for IPv6 (well, less prefixes there).

After the physical link was set up I startet a BGP session with the
route server of the exchange. A few minutes later some other AS
imported my prefix, e.g. those listed at HE[1]. I guess they filtered
"less strict" :)
The next day the exchange's route server administrator added my AS-SET
to the AS-SET of the route server.

--- snip RIPE DB ---
as-set:         AS-KLEYREX-RS1
descr:          KleyReX Internet Exchange Frankfurt
[...]
members:        AS-NONATTACHED
--- snap ---

A few days have passed since then but the number of peers has not
increased as expected. Is this normal?
My mp-* entries look like this:

--- snip RIPE DB ---
aut-num:        AS57821
as-name:        NONATTACHED-AS
[...]
mp-import:      afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1
mp-export:      afi ipv4.unicast to AS31142 announce AS-NONATTACHED
--- snap ---

Yesterday I thought about importing the route servers prefixes and, of
course, to filter them. Using rtconfig[2] I created a filter for BIRD[3]
like this:

--- snip bird.conf ---
if (prefix_too_long()) then reject;
@rtconfig printPrefixes "if (net ~ [ %p/%l+ ]) then accept;\n" filter
AS-KLEYREX-RS1 reject;
--- snap ---

This takes about 10-20 minutes and results in an very large config file
constiting of hundreds of prefixes in IPv4. The same config file for
IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so
I need to filter it somehow. BIRD sometimes segfaults when it is
advised to read those large filters.

So, here's the question: How do you filter at exchanges?
Where is the error in my workflow?
Is strict route filtering a myth?


Thanks for helping!


Dan

[1] http://bgp.he.net/AS57821#_peers
[2] http://irrtoolset.isc.org/wiki/RtConfig
[3] http://bird.network.cz




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]