Home page logo

nanog logo nanog mailing list archives

Re: do not filter your customers
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 23 Feb 2012 10:49:53 -0500

On Thu, Feb 23, 2012 at 1:57 AM, Randy Bush <randy () psg com> wrote:
and things when further downhill from there, when telstra also did not
filter what they announced to their peers, and the peers went over
prefix limits and dropped bgp.
Oh! so protections worked!

imiho, prefix count is too big a hammer.

sure. aspath-filter! :)

it would have been better if optus had irr-based filters in place on
peerings with telstra.  then they would not have dropped the sessions
and their customers could still reach telstra customers.

really, both parties need/should-have filters, right?
both parties should have their 'irr data' up-to-date...
both parties should also filter outbound prefixes (so they don't leak
internals, or ...etc)

telstra seems to have ~8880 or so prefixes registered in IRRs (via
radb whois lookup)
optus has ~1217 or so prefixes registered in IRRs (again via the same
lookup to radb)

of course, if telstra did not publish accurately in an irr instance,
not much optus could do.

it's not clear how accurate the data is :( I do see one example that's
not telstra (and which I don't see through telstra from one host I
tested from)

a REACH customer, supposedly, registered by REACH on the behalf of the
customer... the whole /16 there is allocated to the same entity not
REACH though, so that's a tad confusing.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]