Re: any dangers of filtering every /24 on full internet table to preserve FIB space ?

[William Herrin <bill () herrin us>]

On Sun, Oct 16, 2022 at 1:01 AM Matthew Petach <mpetach () netflight com> wrote:
> Their assumption that *everyone* would hear the more specifics,
> and thus the traffic would flow to the right island location was the
> "failure to understand BGP" that I was commenting on, and noting
> that while it is entirely correct to decide if you want to filter prefixes
> of an arbitrary length from entering your network, you may discover
> in the process that other networks that do not understand BGP and
> routing in general may complain that you have Broken The Internet(tm)
> by doing so.

Matthew,

We studied aggregation to death back in the IRTF Routing Research
Group. The bottom line is that you can aggregate at the source and you
can aggregate at the BGP leaf nodes (transits, no downstreams or
peers) but RIB aggregation anywhere else in the interdomain protocol
breaks the network. You may wish that you could filter those
more-specific prefixes but you are quite mistaken: that is NOT how BGP
works. In point of fact, we couldn't come up with any theoretical
interdomain routing protocol in which it was possible to filter
conventionally legitimate prefixes and have the system operate
reasonably. As near as we could determine, no such thing exists.

When I design a covering route, I include a VPN to the site with the
more-specific to catch the occasional misrouted packet. But then I
also parse the TCP SYN packets and reduce the MSS because there are
knuckleheads which think they can filter ICMP and have TCP merrily
work without functional path MTU discovery. Those folks are wrong too,
TCP doesn't work the way they think, but I'd rather keep the customer
than win the argument.

Regards,
Bill Herrin


> Assuming that your announcement of more specifics will always pull
> traffic away from a less-specific announcement is overly-optimistic.
> While it may *often* work, you should still be prepared to deal with
> traffic arriving at your least-specific announcement as well.
>
> This turned out to be something that not every network on the
> Internet fully grasps, and my original message was warning that
> filtering on /24s would potentially bring complaints from networks
> like those.
>
> It took a roundabout path, but I'm glad we eventually both ended
> up at the same place.   :)
>
> Thanks!
>
> Matt


-- 
For hire. https://bill.herrin.us/resume/