[afnog] BGP /AS filtering

Mark Tinka mark.tinka at seacom.mu
Mon Jul 1 12:33:10 UTC 2013 

On Monday, July 01, 2013 01:43:22 PM Saul Stein wrote:

> OK so now my question needs to change. I was thinking
> that I shouldn't accept bad/private  AS paths from
> customers that buy transit from me and should either get
> them to fix their things or block them until they do.
> Clearly this isn't the way things are done.

Yes, it isn't the way to do things because your Sales guys 
won't be happy with you. At the end of the day, you're a 
profit-oriented business, so you may have to support certain 
configurations that aren't really clean, but can be kept 
from being disastrous.

Use of a private ASN is a completely valid design, but it 
does have its challenges like the case we see from the 
original message, where a router will not elide the private 
ASN's if a public ASN is in the path.

Thankfully, recent code like that of IOS XE and Junos allows 
you to go around that, and in some cases, even replace the 
private AS with the local AS of the upstream network, if 
necessary. But then again, expecting the upstream to support 
this code is not guaranteed. Heck, several networks still 
don't support 4-byte ASN's, and yet code has been out for 
quite some time now.

> (Yes soon RPKI will really assist with this but in the
> meantime)  does one just filter ^AS-path_ and then all
> the prefixes that can be received from them?
> How is this generally done?

RPKI will surely help, but the problem here is at a much 
lower level.

If you filter a prefix, you filter all associated NLRI. If 
you filter by AS_PATH, you filter a prefix, which means you 
lose all other NLRI as well.

In short, if you try to block the AS_PATH, you will lose the 
prefix as well.

The best case is that the origin of the prefix announces it 
from behind a public ASN, or that their upstream remove the 
private ASN before it re-announces the prefix to its eBGP 
neighbors.

RPKI will force networks to use public AS's for inter-domain 
routing. But it may not force from not using private AS's 
internally (which will lead to another case of this thread 
again, and hopefully someone fixes things). 

Moreover, as with 4-byte ASN's, networks still have to roll 
out code that supports RPKI, and then implement it for it to 
really come to life. All this will happen - in time.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20130701/74adcccd/attachment.sig>

More information about the afnog mailing list