Re: BGP route hijack by AS10990

[Owen DeLong <owen () delong com>]

> On Aug 1, 2020, at 11:14 , Hank Nussbacher <hank () interall co il> wrote:
>
> On 01/08/2020 00:50, Mark Tinka wrote:
> > On 31/Jul/20 23:38, Sabri Berisha wrote:
> >
> > > Kudos to Telia for admitting their mistakes, and fixing their processes.
> > Considering Telia's scope and "experience", that is one thing. But for
> > the general good of the Internet, the number of intended or
> > unintentional route hijacks in recent years, and all the noise that
> > rises on this and other lists each time we have such incidents (this
> > won't be the last), Telia should not have waited to be called out in
> > order to get this fixed.
> >
> > Do we know if they are fixing this on just this customer of theirs, or
> > all their customers? I know this has been their filtering policy with us
> > (SEACOM) since 2014, as I pointed out earlier today. There has not been
> > a shortage of similar incidents between now and then, where the
> > community has consistently called for more deliberate and effective
> > route filtering across inter-AS arrangements.
> AS  level filtering is easy.  IP prefix level filtering is hard.  Especially when you are in the top 200:
> https://asrank.caida.org/ <https://asrank.caida.org/>
IP Prefix level filtering at backbone<->backbone connections is hard (and mostly pointless).

IP Prefix level filtering at the customer edge is not that hard, no matter how large of a transit
provider you are. Customer edge filtration by Telia in this case would have prevented this
problem from spreading beyond the misconfigured ASN.

> That being said, and due to these BGP "polluters" constantly doing the same thing, wouldn't an easy fix be to use the 
> max-prefix/prefix-limit option:
> https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html 
> <https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html>
> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html
>  
> <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html>
That’s a decent pair of suspenders to go with the belt of prefix filtration at the edge, but it’s no substitute.

> For every BGP peer,  the ISP determines what the current max-prefix currently is.  Then add in 2% and set the 
> max-prefix. 
> An errant BGP polluter would then only have limited damage to the Internet routing table.
> Not the greatest solution, but easy to implement via a one line change on every BGP peer.

To the best of my knowledge, that’s already fairly common practice. It’s usually more like 10% (2% would require way
too much active change and create churn and risk).

Owen