[afnog] BGP /AS filtering
Nishal Goburdhan
ndg at ieee.org
Mon Jul 1 12:36:08 UTC 2013
On 01 Jul 2013, at 1:43 PM, "Saul Stein" <saul at enetworks.co.za> wrote:
> Hi
> OK so now my question needs to change. I was thinking that I shouldn't
> accept bad/private AS paths from customers that buy transit from me and
> should either get them to fix their things or block them until they do.
> Clearly this isn't the way things are done.
>
> (Yes soon RPKI will really assist with this but in the meantime) does one
> just filter ^AS-path_ and then all the prefixes that can be received from them?
no. filter on ^as-path and prefix-filter. belt and braces!
filtering just the as-path is bad. if you *must* choose, pick prefix-filters. more admin work, but safer.
(unless you're pretty certain that the person you're peering with has clue, in which case, continue to filter on both asp-path and prefix-filter...!)
automate it where you can - pull data from IRRs.
*always* filter downstream.
sink bogons.
use sunscreen...
as you've seen already, filtering is best done at the (very) edge - if it was done properly, there'd be a lot less mess to deal with...
--n.
More information about the afnog
mailing list