> On Aug 1, 2020, at 11:14 , Hank Nussbacher <h...@interall.co.il> wrote: > > On 01/08/2020 00:50, Mark Tinka wrote: >> On 31/Jul/20 23:38, Sabri Berisha wrote: >> >>> Kudos to Telia for admitting their mistakes, and fixing their processes. >> Considering Telia's scope and "experience", that is one thing. But for >> the general good of the Internet, the number of intended or >> unintentional route hijacks in recent years, and all the noise that >> rises on this and other lists each time we have such incidents (this >> won't be the last), Telia should not have waited to be called out in >> order to get this fixed. >> >> Do we know if they are fixing this on just this customer of theirs, or >> all their customers? I know this has been their filtering policy with us >> (SEACOM) since 2014, as I pointed out earlier today. There has not been >> a shortage of similar incidents between now and then, where the >> community has consistently called for more deliberate and effective >> route filtering across inter-AS arrangements. >> >> > AS level filtering is easy. IP prefix level filtering is hard. Especially > when you are in the top 200: > https://asrank.caida.org/ <https://asrank.caida.org/> IP Prefix level filtering at backbone<->backbone connections is hard (and mostly pointless).
IP Prefix level filtering at the customer edge is not that hard, no matter how large of a transit provider you are. Customer edge filtration by Telia in this case would have prevented this problem from spreading beyond the misconfigured ASN. > That being said, and due to these BGP "polluters" constantly doing the same > thing, wouldn't an easy fix be to use the max-prefix/prefix-limit option: > https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html > > <https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/25160-bgp-maximum-prefix.html> > https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html > > <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-limit-edit-protocols-bgp.html> That’s a decent pair of suspenders to go with the belt of prefix filtration at the edge, but it’s no substitute. > For every BGP peer, the ISP determines what the current max-prefix currently > is. Then add in 2% and set the max-prefix. > An errant BGP polluter would then only have limited damage to the Internet > routing table. > Not the greatest solution, but easy to implement via a one line change on > every BGP peer. To the best of my knowledge, that’s already fairly common practice. It’s usually more like 10% (2% would require way too much active change and create churn and risk). Owen
