[afnog] How to convince providers to take the sane option....

[Frank Habicht]

Hi,

On 5/14/2014 7:24 PM, Patrick Okui wrote:
> One reason this has developed in certain cases is partly historical - 
> like what we're cleaning up in the UIXP in Uganda.
> 
> It starts with everyone peering exchanging all routes, then a few of
> the providers leak the routes cross-border to say the KIXP in Kenya.

without the knowledge/approval of the "owner" ?
bad start....   :-(
(yes, most likely it's a former customer)

> Configuration mistakes mean if that's not controlled these IX
> advertised routes are leaked to the Internet. Depending on how well
> peered a provider is, the Internet may prefer their path (eventually
> via the IX) and while this "free transit" may be interesting to have
> it's not one for which a service agreement exists and in some cases
> may be worse than the egress links the affected party has.

ack. been there.


> To make matters more interesting some people only peer with the route 
> server and not bilaterally, so it's difficult to control which peer
> gets what and they decide to either shut down their link or announce
> only aggregates plus very few specifics.

Even if all peers get everything...
... still they should not announce things they get from peering to other
peerings or even to upstreams.
static prefix lists are bad because they will become outdated.
I know many of us know this song.

Best solution I see is communities.
- Define one community called "don't advertise to upstreams"
- add this community to all routes learned from upstreams. and to all
  routes learned from peering
- don't advertise these routes to upstreams.
  and don't advertise these routes to other peerings.
  ie first rule in the route-map to upstreams:
     deny anything matching that community

Frank