[c-nsp] Peer pointing default route to us

Lukas Tribus luky-37 at hotmail.com
Tue Sep 30 08:45:51 EDT 2014


>> BCP38 (ingress filtering) sure, but egress filtering will just break your
>> network, imho.
> How?

Asymmetric routing, a BGP customer, or, a BGP customer of a BGP customer
begins using a new prefix. Even if the prefix is correctly registered in the
IRDB, automatic filter updates may take some 48  hours or more to
update.

While we simply reject the prefix in BGP and the traffic crosses someone elses
network, we are disrupting legitimate production traffic when we are using
outbound ACL on our upstream routers.



> Depending how high quality your as-set is, it might not. In RIPE area we can
> reasonably expect to have perfect AS-SET information from our customer (and
> ask them to fix mistakes during activation). I know in ARIN area such
> expectation is not reasonable at all.

Here in the RIPE region I've waited for 6 months for a customer of us to deploy
the correct route object. Especially with small BGP customers this is a problem.

If we, (as a bgp transit provider), would just accept route object from the IRDB, the
traffic would simply not cross our network in those 6 months, but across a competitors
network, which means means less dollars in our pocket.


Don't get me wrong: we filter our customer prefixes in BGP. We just cannot solely
rely on route-objects, sometimes its needs some human intervention on the
prefix-list to unblock a certain prefix (we are checking the RIR allocation of course,
but RIR allocation is not always equal to the route-object in the IRDB).


I can only apply loose mode uRPF for BGP customers, same thus applies for
traffic egressing our network on peer and transit links.



Lukas

 		 	   		  


More information about the cisco-nsp mailing list