Re: Route leak in Bangladesh

[Sandra Murphy <sandy () tislabs com>]

On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner () cluebyfour org> wrote:

> On Tue, 30 Jun 2015, Matsuzaki Yoshinobu wrote:
>
> > Randy Bush <randy () psg com> wrote
> > > > A friend in AS58587 confirmed that this was caused by a configuration
> > > > error - it seems like related to redistribution, and they already
> > > > fixed that.
> > >
> > > 7007 all over again.  do not redistribute bgp into igp.  do not
> > > redistribute igp into bgp.
> >
> > I also suggested them to implement BGP community based route filtering
> > in their outbound policy.  Any other suggestions or thoughts to
> > prevent such incidents in general?
>
> At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) and your downstream customer ASNs.  Whether 
> this is done manually, built using AS-SETs from your route registry of choice, or through some other
> automated means is another story.

That sort of AS_PATH filtering would not have helped in this case.  The AS originated the routes, it did not propagate 
an upstream route.

So an AS_PATH filter to just its own AS would have passed these routes.

You would need origin validation on your outbound routes.  Job suggested prefix filters on outbound routes.  (If you 
are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers 
prefixes on outbound links?  Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?)

--Sandy

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail