nanog mailing list archives
Re: Route leak in Bangladesh
From: Job Snijders <job () instituut net>
Date: Tue, 30 Jun 2015 17:09:29 +0200
On Tue, Jun 30, 2015 at 10:53:45AM -0400, Sandra Murphy wrote:
That sort of AS_PATH filtering would not have helped in this case. The AS originated the routes, it did not propagate an upstream route. So an AS_PATH filter to just its own AS would have passed these routes. You would need origin validation on your outbound routes. Job suggested prefix filters on outbound routes. (If you are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers prefixes on outbound links? Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?)
I wouldn't consider it to be excessive caution to bring more safeguards to the game, you never know when diarrhea will strike. If you were the network causing a leak of this type, prefix filters on inbound facing your customers might not have prevented this. If you are a network providing transit to the leak originator mentioned in the above paragraph, I believe a prefix based filter could have made a big difference. Kind regards, Job
Current thread:
- Re: Route leak in Bangladesh, (continued)
- Re: Route leak in Bangladesh Mark Tinka (Jun 30)
- Re: Route leak in Bangladesh Nick Hilliard (Jun 30)
- Re: Route leak in Bangladesh Job Snijders (Jun 30)
- Re: Route leak in Bangladesh Joe Abley (Jun 30)
- Re: Route leak in Bangladesh Job Snijders (Jun 30)
- Re: Route leak in Bangladesh Mark Tinka (Jun 30)
- Re: Route leak in Bangladesh Job Snijders (Jun 30)
- Re: Route leak in Bangladesh Sandra Murphy (Jun 30)
- Re: Route leak in Bangladesh Justin M. Streiner (Jun 30)
- Re: Route leak in Bangladesh Sandra Murphy (Jun 30)
- Re: Route leak in Bangladesh Job Snijders (Jun 30)
- Re: Route leak in Bangladesh Graham Beneke (Jun 30)
- Re: Route leak in Bangladesh Justin M. Streiner (Jun 30)