This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Bogon ASN Filter Policy
- Previous message (by thread): [routing-wg] irr locking (Was: Bogon ASN Filter Policy)
- Next message (by thread): [routing-wg] Bogon ASN Filter Policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Arnold Nipper
arnold.nipper at de-cix.net
Fri Jun 10 15:43:31 CEST 2016
On 03.06.2016 06:53, Hank Nussbacher wrote: > On 02/06/2016 22:43, Job Snijders wrote: >> Dear fellow network operators, >> >> In July 2016, NTT Communications' Global IP Network AS2914 will deploy a >> new routing policy to block Bogon ASNs from its view of the default-free >> zone. This notification is provided as a courtesy to the network >> community at large. >> >> After the Bogon ASN filter policy has been deployed, AS 2914 will not >> accept route announcements from any eBGP neighbor which contains a Bogon >> ASN anywhere in the AS_PATH or its atomic aggregate attribute. >> >> The reasoning behind this policy is twofold: >> >> - Private or Reserved ASNs have no place in the public DFZ. Barring >> these from the DFZ helps improve accountability and dampen >> accidental exposure of internal routing artifacts. >> >> - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" >> in the DFZ is a either a misconfiguration or software issue. >> >> We are undertaking this effort to improve the quality of routing data as >> part of the global ecosystem. This should improve the security posture >> and provide additional certainty [1] to those undertaking network >> troubleshooting. >> >> Bogon ASNs are currently defined as following: >> >> 0 # Reserved RFC7607 >> 23456 # AS_TRANS RFC6793 >> 64496-64511 # Reserved for use in docs and code RFC5398 >> 64512-65534 # Reserved for Private Use RFC6996 >> 65535 # Reserved RFC7300 >> 65536-65551 # Reserved for use in docs and code RFC5398 >> 65552-131071 # Reserved >> 4200000000-4294967294 # Reserved for Private Use RFC6996 >> 4294967295 # Reserved RFC7300 >> >> A current overview of what are considered Bogon ASNs is maintained at >> NTT's Routing Policies page [2]. The IANA Autonomous System Number >> Registry [3] is closely tracked and the NTT Bogon ASN definitions are >> updated accordingly. >> >> We encourage network operators to consider deploying similar policies. >> Configuration examples for various platforms can be found here [4]. >> >> NTT staff is monitoring current occurrences of Bogon ASNs in the routing >> system and reaching out to impacted parties on a weekly basis. >> >> Kind regards, >> >> Job >> >> Contact persons: >> >> Job Snijders <job at ntt.net>, Jared Mauch <jmauch at us.ntt.net>, >> NTT Communications NOC <noc at ntt.net> >> >> References: >> [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 >> [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon >> [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml >> [4]: http://as2914.net/bogon_asns/configuration_examples.txt >> > You guys are my heroes! If 4-5 tier-0 ISPs would do exactly this, > bogus ASNs would disappear in a week. > Instead everyone talks while the problem gets larger (now over 5000): > http://www.cidr-report.org/as2.0/bogus-as-advertisements.html > Indeed, well done! You may want to give a hand to the IXP which run route servers as well, Hank. Most of them do excellent filtering. Not only on ASN but also on prefixes. Besides bogus AS advertisements route leaks are the other plague we have to fight with. Here also most of the IXP RS take care that this doesn't happen. Cheers, Arnold -- Arnold Nipper Chief Technology Evangelist and Co-Founder DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net | Phone +49 69 1730902 22 | Mobile +49 172 2650958 | Fax +49 69 4056 2716 | arnold.nipper at de-cix.net | Geschaeftsfuehrer Harald A. Summa | Registergericht AG Koeln HRB 51135 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/routing-wg/attachments/20160610/aed9055b/attachment.sig>
- Previous message (by thread): [routing-wg] irr locking (Was: Bogon ASN Filter Policy)
- Next message (by thread): [routing-wg] Bogon ASN Filter Policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]