Re: BGP Path Filtering

[Leo Bicknell <bicknell () ufp org>]

In a message written on Thu, May 15, 2003 at 10:29:18PM -0400, Mark Radabaugh wrote:
> I'm having a hard time finding best practices for filtering outbound bgp
> announcements when providing transit to bgp-speaking customers.  While we
> currently multi-home to several providers it appears we will soon need to
> provide transit for customers with their own AS's.

I strongly recomend you prefix list filter your customers, rather
than AS path filter them.  While AS path filters to prevent some
kinds of abuse and accidental mistake, they still allow your customer
to hijack any address space in your network (and possibly beyond)
at any time.

> ip as-path access-list 3 permit ^12345$
>
> but I think this breaks if AS12345 prepends their advertisement.

Probably you want something more like:

ip as-path access-list 3 permit ^(12345_)+$
ip as-path access-list 3 permit ^(12345_)+(6789_)+$

Giving both the customer, and customer with a customer case.  That is
both specific, and allows for prepends.  Your example has a couple of
problems:

> ip as-path access-list 3 permit ^12345_[0-9]$*

First, it's not a valid regex ($* need to be *$), second, it allows any
(single) AS behind 12345, so it's hardly a useful filter.

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request () tmbg org, www.tmbg.org

Attachment: _bin
Description: