Re: [doable?] peer filtering (was Re: Trusting BGP sessions)

["Kevin Oberman" <oberman () es net>]

First, it is not clear to me whether Juniper can prefix filter on a
tier 1. Cisco can prefix filter on SOME NSPs that might be classed as
tier 1. ESnet prefix filters on all peers that have fewer than about
10,000 prefixes.

As we are moving to Juniper at one peering point, we might try
filtering come bigger peers.  The Juniper folks say that they are
still testing how extremely large policies effect performance. We will
see.

Note: I am only talking about filtering BGP announcements, not packets!

Since Sprint and UUnet don't seem to be willing to provide information
in the IRR to allow us to generate access-lists/policies, and not
peering with these folks would be a Bad Idea(tm), so we can't quite
filter everyone. (If I could figure out a way to get them to register,
I'd have fun trying, though.)

The only downside to such filtering I have seen is that some folks
(including some which use the router servers which mandate
registration) are very lax about registration. It also makes for some
rather long configuration files.  Even with many large peers not being
filtered, configurations at major meet points exceed a megabyte.

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634