[afnog] BGP /AS filtering

Saul Stein saul at enetworks.co.za
Mon Jul 1 14:55:02 UTC 2013


Thanks all!

-----Original Message-----
From: Mark Tinka [mailto:mark.tinka at seacom.mu] 
Sent: 01 July 2013 02:49 PM
To: Nishal Goburdhan
Cc: Saul Stein; African Network Operators
Subject: Re: [afnog] BGP /AS filtering

On Monday, July 01, 2013 02:36:08 PM Nishal Goburdhan wrote:

> automate it where you can - pull data from IRRs.

I'm really hopeful about RPKI.

> no.  filter on ^as-path and prefix-filter.   belt and
> braces! filtering just the as-path is bad.  if you
> *must* choose, pick prefix-filters.  more admin work, but safer. 
> (unless you're pretty certain that the person you're peering with has 
> clue, in which case, continue to filter on both asp-path and 
> prefix-filter...!)

> *always* filter downstream.
> sink bogons.
> use sunscreen...
> 
> as you've seen already, filtering is best done at the
> (very) edge - if it was done properly, there'd be a lot less mess to 
> deal with...

Very good advice, all around.

Mark.




More information about the afnog mailing list