Re: Filter on IXP

[Jérôme Nicolle <jerome () ceriz fr>]

Le 28/02/2014 17:00, Jay Ashworth a écrit :
> > From: "Jérôme Nicolle" <jerome () ceriz fr>
> > Instead, IXPs _could_ enforce BCP38 too. Mapping the route-server's
> > received routes to ingress _and_ egress ACLs on IXP ports would mitigate
> > the role of BCP38 offenders within member ports. It's almost like uRPF
> > in an intelligent and useable form.
>
> Interesting.  Are you doing this?  Planning it?  Or at least researching
> how well it would work?

Juste seriously considering it on TOUIX. I'd propose it to Lyonix and
France-IX too.

> > A noticeable side-effect is that members would be encouraged to announce
> > their entire customer-cones to ensure egress trafic from a non-exchanged
> > prefix would not be dropped on the IX's port.
>
> Don't they do this already?

Not to my knowledge. Some members are only announcing regional prefixes
on smaller IXs. They could however exchange trafic originaing from any
region of their networks.

Best would be to differentiate announced prefixes from legitimately
announcable prefixes, as registered to RIPEdb (as far as we're concerned).

In a more global perspective, the extended best-practice could be to set
ACLs as we generate prefix-lists, route-maps and route-filters for BGP
downlinks and PNIs too.

> If you get something practical implemented on this topic, we'd be more
> than pleased to see it show up on bcp38.info; exchange points are the
> one major construct I hadn't included there, cause I didn't think it was
> actually practical to do it there.  But then, I don't run one.

I think the idea worth investigating, but I run a very small IXP and
will most certainly be unable to fully investigate every potential
side-effects on my own. I'll be reaching out to bigger ones in my next
email.

-- 
Jérôme Nicolle
+33 6 19 31 27 14