nanog mailing list archives
Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)
From: Mark Tinka <mark.tinka () seacom com>
Date: Sun, 2 Aug 2020 14:12:15 +0200
On 1/Aug/20 18:58, Job Snijders wrote:
Following a large scale BGP incident in March 2015, noction made it
possible to optionally set the well-known NO_EXPORT community on route
advertisements originated by IRP instances.
"In order to further reduce the likelihood of these problems
occurring in the future, we will be adding a feature within Noction
IRP to give an option to tag all the more specific prefixes that it
generates with the BGP NO_EXPORT community. This will not be enabled
by default [snip]"
https://www.noction.com/blog/route-optimizers
Mar 27, 2015
Due to NO_EXPORT not being set in the default configuration, there are
probably if not certainly many unsuspecting network engineers who end up
deploying this software - without ever even considering - to change that
one setting in the configuration.
Fast forward a few years and a few incidents, on the topic of default
settings, following the Cloudflare/DQE/Verizon incident:
"We do have no export community support and have done for many
years. The use of more specifics is also optional. Neither replaces
the need for filters."
https://twitter.com/noction/status/1143177562191011840
Jun 24, 2019
Community members responded:
"Noction have been facilitating Internet outages for years and
years and the best thing they can say in response is that it is
technically possible to use their product responsibly, they just
don't ship it that way."
https://twitter.com/PowerDNS_Bert/status/1143252745257979905
June 24, 2019
Last year Noction stated:
"Nobody found this leak pleasant."
https://www.noction.com/news/incident-response
June 26, 2019
Sentiment we all can agree with, change is needed!
As far as I know, Noction IRP is the ONLY commercially available
off-the-shelf BGP route manipulation software which - as default - does
NOT set the BGP well-known NO_EXPORT community on the product's route
advertisements. This is a product design decision which causes
collateral damage.
I would like to urge Noction to reconsider their position. Seek to
migrate the existing users to use NO_EXPORT, and release a new version
of the IRP software which sets NO_EXPORT BY DEFAULT on all generated
routes.
A great first step! Mark.
Current thread:
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990), (continued)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mike Hammett (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ross Tajvar (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Ross Tajvar (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Tom Beecher (Aug 03)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Job Snijders (Aug 03)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mike Hammett (Aug 01)
- Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) Mark Tinka (Aug 02)
- Re: BGP route hijack by AS10990 Mark Tinka (Aug 01)
- Re: BGP route hijack by AS10990 Mark Tinka (Aug 01)
- Re: BGP route hijack by AS10990 Owen DeLong (Aug 01)
- Re: BGP route hijack by AS10990 Mark Tinka (Aug 01)
- Re: BGP route hijack by AS10990 Owen DeLong (Aug 01)
- Re: BGP route hijack by AS10990 Mark Tinka (Aug 01)