Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Jared Mauch <jared () puck nether net>]

> On Feb 4, 2016, at 6:58 AM, Henrik Thostrup Jensen <htj () nordu net> wrote:
>
> > In addition, in case of "as-set", an ISP needs to recursively find all the AS numbers from "members" attributes 
> > because "as-set" can include other "as-sets"?
>
> Some irrd servers, can expand this automatically (I think). But seriously, use a tool for this.
>
> > Quite a lot of question, but I would simply like to be sure that I understand this correctly.
>
> There are basically two abstractions:
>
> 1. as-set. Can contain other as-sets or as numbers.
> 2. prefixes are registered to an as-number.
>
> Remember that there are multiple IRR servers, and they mirror each other.
>
> Use http://irrexplorer.nlnog.net/ to play around a bit :-).

Yes.  We record the customer ASN and the AS-SET for each AFI (v4|v6) and expand these and push updated lists to devices 
daily or on demand based on customer need.

You should be able to build off any of the mirrored IRRds out there as they all mirror each other, often with minimal 
lag (5-30 minutes).

The days of fetching via FTP once a day are long gone and a relic of the past.

I recommend using AS-PATH combined with prefix filters to keep your pants on.  Rejecting things like networks you may 
get transit from from customers, and peers helps avoid feeding my route leak system. 
http://puck.nether.net/bgp/leakinfo.cgi

You should also not be using any IOS devices for BGP as documented in CSCuq14541 where they leak the full table.

- Jared