Re: BGP route hijack by AS10990

[Nick Hilliard <nick () foobar org>]

Sabri Berisha wrote on 01/08/2020 20:03:
> but because Noction's decision to not enable NO_EXPORT by default

the primary problem is not this but that Noction reinjects prefixes into 
the local ibgp mesh with the as-path stripped and then prioritises these 
prefixes so that they're learned as the best path.

The as-path is the primary loop detection mechanism in eBGP.  Removing 
this is like hot-wiring your electrical distribution board because you 
found out you could get more power if you bypass those stupid RCDs.

Once you strip off the as-path in the local view, it's like the AS7007 
incident desperately begging to happen all over again.

As long as route optimiser vendors ship their products with such deeply 
harmful defaults, we're going to continue to see these problems ad nauseam.

Nick