[afnog] BGP /AS filtering

Mark Tinka mark.tinka at seacom.mu
Mon Jul 1 12:49:18 UTC 2013


On Monday, July 01, 2013 02:36:08 PM Nishal Goburdhan wrote:

> automate it where you can - pull data from IRRs.

I'm really hopeful about RPKI.

> no.  filter on ^as-path and prefix-filter.   belt and
> braces! filtering just the as-path is bad.  if you
> *must* choose, pick prefix-filters.  more admin work,
> but safer. (unless you're pretty certain that the person
> you're peering with has clue, in which case, continue to
> filter on both asp-path and prefix-filter...!)

> *always* filter downstream.
> sink bogons.
> use sunscreen...
> 
> as you've seen already, filtering is best done at the
> (very) edge - if it was done properly, there'd be a lot
> less mess to deal with...

Very good advice, all around.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20130701/67f98b72/attachment.sig>


More information about the afnog mailing list