nanog mailing list archives

Re: "Neighbor maximum-prefix" option on routers

From: Jeff Aitken <jaitken () aitken com>
Date: Mon, 20 Nov 2006 09:17:28 -0500


On Mon, Nov 20, 2006 at 09:53:06AM +0100, Alexander Koch wrote:

Ain't that a bit over- engineered? If you have a prefix list
(presumably to a customer) do you want to seriously shutdown
the session when he sends you random prefixes because it is
easy to break when you are new to it? Would create unneeded
tickets I'd say. Prefix lists (exact match) with no max-prefix
(as those are then rejected anyway) work fine here...



There are several direct applications in provider networks that Joe 
alluded to, such as customer-triggered blackholes.  However, if you're
going to let your customers deaggregate, you need some other way of 
protecting your network from stupidity/maliciousness on your
customers' part.  You might do something like this, in cisco-speak:


    router bgp xxx
     neighbor 1.2.3.4 remote-as yyy
     neighbor 1.2.3.4 description my customer with ASN yyy
     neighbor 1.2.3.4 prefix-list FROM-ASyyy in
     neighbor 1.2.3.4 route-map from-cust in
     neighbor 1.2.3.4 maximum-prefix 100
     [...]
    !
    ip prefix-list FROM-ASyyy sequence 5 permit 10.0.0.0/8 le 32
    ip prefix-list FROM-ASyyy sequence 10 permit 172.16.0.0/12 le 32
    !
    route-map from-cust permit 10
     match community customer-blackhole
     set ip next-hop <null0, or whatever>
     set community no-export
    !
    route-map from-cust permit 20
     match ip address prefix-list longer-than-/24
     set community no-export
    !
    route-map from-cust permit 30
     set community my-customer-route-community
    !


Now, in addition to being able to announce his two aggregates, your
customer can announce more-specific routes (all the way up to /32)
to be blackholed or just for traffic-engineering purposes within your
network.  However, you're still protected if he announces more than
his configured maximum number of routes (100 in this example).

To answer your question, yes I absolutely want to shut down a peering
session with a misbehaving ASN *regardless* of whether or not that ASN
is a peer or customer.  The stability of my network (and therefore, my
ability to provide service to my other customers) depends on it.


--Jeff

Current thread:

"Neighbor maximum-prefix" option on routers Ricardo V. Oliveira (Nov 19)
- Re: "Neighbor maximum-prefix" option on routers Jay Hennigan (Nov 19)
  - Re: "Neighbor maximum-prefix" option on routers Alexander Koch (Nov 19)
    - Re: "Neighbor maximum-prefix" option on routers Mikael Abrahamsson (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Joe Abley (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Alexander Koch (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Daniele Arena (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Mikael Abrahamsson (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Niels Bakker (Nov 20)
    - Re: "Neighbor maximum-prefix" option on routers Jeff Aitken (Nov 20)
- <Possible follow-ups>
- Re: "Neighbor maximum-prefix" option on routers Scott Weeks (Nov 19)