This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Bogon ASN Filter Policy
- Previous message (by thread): [routing-wg] Bogon ASN Filter Policy
- Next message (by thread): [routing-wg] Bogon ASN Filter Policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Markus Weber
netmaster at de.kpn-eurorings.net
Tue Jun 14 19:19:44 CEST 2016
On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote: > [filtering bogon ASes] > But I have security consideration that filtering isn't a proper mechanism > to reach this goal. Imagine next situation - if transit accidently prepends > its paths with private AS number it will result in DoS for all stub > networks connected to this transit. I think, better way is deprioritize > bogon routes - this will stop propagation of such routes if there is any > alternative and will not affect reachability in other cases. Hi Alexander, maybe I miss your point, but what would you do if the mentioned transit provider (being DoSed) would "accidently" filter out/suppress announcing its stub network's prefixes? Or start to blackhole them? Mistakes happen, but you can't ask the global community to implement RFC violating workarounds for such incidents. RFC6996 clearly states: Private Use ASNs MUST be removed from AS path attributes (...) before being advertised to the global Internet. Just accepting them with a lower local pref will not make anyone change sometime ... as broken setups would still continue to work. And if the transit provider already "accidently" prepends with private ASNs to his peers ... what would stop him from doing other crazy things (like leaking internally used more specifics of well known CDN providers)? And what would protect the Internet from being hit by this? Filters, but not lowering local-pref. Filtering out prefixes with bogon ASNs in the path is for sure not the biggest security improvement - but every little step helps. Markus -- Darmstaedter Landstrasse 184 | 60598 Frankfurt | Germany +49 (0)178 5352346 | <Markus.Weber at kpn.DE> | www.kpn.de KPN EuroRings Germany B.V. | Niederlassung Frankfurt am Main Amtsgericht Frankfurt HRB99781 | USt.IdNr. DE 815496855 Geschaeftsfuehrer Jesus Martinez & Pieter Martijn Schelling
- Previous message (by thread): [routing-wg] Bogon ASN Filter Policy
- Next message (by thread): [routing-wg] Bogon ASN Filter Policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]