Re: weird BGP cisco-ism? [problem resolved]

[Robert Gutierrez <Robert_Gutierrez () 3mail 3Com com>]

> What was happening is that, about a week ago, another provider got a
> request from a customer to route them a single /24 from the middle of
> our (non-portable) block. Because there was no IGP route for that customer,
> but a network line was in place, the other provider was, every 5-20 minutes,
> announcing the route for about 30 seconds, and then withdrawing it.
> but a network line was in place, the other provider was, every 5-20 minutes,
> announcing the route for about 30 seconds, and then withdrawing it.
>
> We peer with that provider directly, and can also see them via our transit
> provider

The assumption here is that the advertisement from the BGP peer in
question
was being rec'd by you and installed in the routing table, ie: you
accepted
a BGP advertisement in your own address space from another (untrusted)
peer?

I hate to state the obvious, but don't you filter your own blocks from
your other BGP peers?  Inbound, I mean.  Very simple:

   router bgp 1
   neighbor 10.1.1.1 remote-as 2
   neighbor 10.1.1.1 filter-list 99 in

   as-path access-list 99 deny ^$
   as-path access-list 99 deny ^1_
   [etc -- however you want to set it up]

Isn't this akin to wearing a condom nowadays in the 'net BGP routing
warz.

Before I left my last job, I was on my way to installing anal as-path
access
lists for our own customers who did BGP to prevent the above and also
prevent another Florida fiasco.  The idea was that we would only accept
explicit addresses from those BGP peers.  All that was need was to add a
list for each peer:

   neighbor 10.1.1.1 distribute-list 10 in
   access-list 10 permit 172.16.0.0

or even worse, enforce CIDR/prevent subnets by only accpeting the
specific
block advertisement:

   distribute-list 101 permit 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0

Just good practice to me :)  Hopefully everybody else is doing the
same???


        Rob Gutierrez / 3Com - GIS Internet Security