On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <strei...@cluebyfour.org> wrote:
> On Tue, 30 Jun 2015, Matsuzaki Yoshinobu wrote: > >> Randy Bush <ra...@psg.com> wrote >>>> A friend in AS58587 confirmed that this was caused by a configuration >>>> error - it seems like related to redistribution, and they already >>>> fixed that. >>> >>> 7007 all over again. do not redistribute bgp into igp. do not >>> redistribute igp into bgp. >> >> I also suggested them to implement BGP community based route filtering >> in their outbound policy. Any other suggestions or thoughts to >> prevent such incidents in general? > > At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) and > your downstream customer ASNs. Whether this is done manually, built using > AS-SETs from your route registry of choice, or through some other > automated means is another story. > That sort of AS_PATH filtering would not have helped in this case. The AS originated the routes, it did not propagate an upstream route. So an AS_PATH filter to just its own AS would have passed these routes. You would need origin validation on your outbound routes. Job suggested prefix filters on outbound routes. (If you are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers prefixes on outbound links? Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?) --Sandy
signature.asc
Description: Message signed with OpenPGP using GPGMail
