nanog mailing list archives
Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
From: Ca By <cb.list6 () gmail com>
Date: Sun, 2 Aug 2020 13:06:52 -0700
On Sun, Aug 2, 2020 at 9:36 AM Robert Raszuk <robert () raszuk net> wrote:
Hi Ca,Noction is sold to ISPs, aka transit AS, afaikInteresting. My impression always was by talking to Noction some time back that mainly what they do is a flavor of performance routing. But this is not about Noction IMHO. If I am a non transit ASN with N upstream ISPs I want to exit not in a hot potato style ... if I care about my services I want to exit the best performing way to reach back customers. That's btw what Cisco PFR does or Google's Espresso or Facebook Edge Fabric etc ... And you have few vendors offering this as well as bunch of home grown tools attempting to do the same. Go and mandate that all of them will do NO-EXPORT if they insert any routes ... And we will see more and more of those type of tools coming. Sure we have implementations with obligatory policy on eBGP - cool. And yes we have match "ANY" too. So if your feedback is that to limit the iBGP routes to go out over eBGP this is all sufficient and we do not need a bit more protection there then case solved. Cheers, R.
My feedback is the local_pref is complete for this behavior of setting an outbound, including being non-transitive FB uses local-pref for this afaik https://research.fb.com/blog/2017/08/steering-oceans-of-content-to-the-world/
On Sun, Aug 2, 2020 at 4:42 PM Ca By <cb.list6 () gmail com> wrote:On Sun, Aug 2, 2020 at 4:34 AM Robert Raszuk <robert () raszuk net> wrote:All, Watching this thread with interest got an idea - let me run it by this list before taking it any further (ie. to IETF). How about we learn from this and try to make BGP just a little bit safer ? *Idea: * In all stub (non transit) ASNs we modify BGP spec and disable automatic iBGP to eBGP advertisement ?Why do you believe a stub AS was involved or that would have changed this situation? The whole point of Noction is for a bad isp to fake more specific routes to downstream customers. Noction is sold to ISPs, aka transit AS, afaik*Implementation: * Vendors to allow to define as part of global bgp configuration if given ASN is transit or not. The default is to be discussed - no bias.Oh. A configuration knob. Noction had knobs, the world runs of 5 year old software with default configs.*Benefit: * Without any issues anyone playing any tools in his network will be able to just issue one cliThanks for no pretending we configure our networks with yang model apis and be protected from accidentally hurting others. Yet naturally he willstill be able to advertise his neworks just as today except by explicit policy in any shape and form we would find proper (example: "redistribute iBGP to eBGP policy-X").XR rolls this way today, thanks Cisco. But the “any” keyword exists, so yolo.We could even discuss if this should be perhaps part of BGP OPEN or BGP capabilities too such that two sides of eBGP session must agree with each other before bringing eBGP up. Comments, questions, flames - all welcome :) Cheers, Robert. PS. Such a definition sure can and likely will be misused (especially if we would just settle on only a single side setting it - but that will not cause any more harm as not having it at all. Moreover I can already see few other good options which BGP implementation or BGP spec can be augmented with once we know we are stub or for that matter once it knows it is transit ....
Current thread:
- Issue with Noction IRP default setting (Was: BGP route hijack by AS10990), (continued)
- Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Job Snijders (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ryan Hamel (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Matt Erculiani (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ryan Hamel (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ca By (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Matt Erculiani (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Robert Raszuk (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ca By (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Robert Raszuk (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) nanog (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ca By (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mike Hammett (Aug 02)
- Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Job Snijders (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ross Tajvar (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ross Tajvar (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Tom Beecher (Aug 03)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Job Snijders (Aug 03)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mike Hammett (Aug 01)