[routing-wg] Bogon ASN Filter Policy

On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
> [filtering bogon ASes]
> But I have security consideration that filtering isn't a proper mechanism
> to reach this goal. Imagine next situation - if transit accidently prepends
> its paths with private AS number it will result in DoS for all stub
> networks connected to this transit. I think, better way is deprioritize
> bogon routes - this will stop propagation of such routes if there is any
> alternative and will not affect reachability in other cases.

Hi Alexander,

maybe I miss your point, but what would you do if the mentioned transit 
provider (being DoSed) would "accidently" filter out/suppress announcing 
its stub network's prefixes? Or start to blackhole them? 

Mistakes happen, but you can't ask the global community to implement RFC 
violating workarounds for such incidents. 

RFC6996 clearly states: Private Use ASNs MUST be removed from AS path
attributes (...) before being advertised to the global Internet. 

Just accepting them with a lower local pref will not make anyone change
sometime ... as broken setups would still continue to work.

And if the transit provider already "accidently" prepends with private
ASNs to his peers ... what would stop him from doing other crazy things 
(like leaking internally used more specifics of well known CDN providers)? 
And what would protect the Internet from being hit by this? Filters, but
not lowering local-pref.

Filtering out prefixes with bogon ASNs in the path is for sure not the 
biggest security improvement - but every little step helps. 

Markus

-- 
Darmstaedter Landstrasse 184     | 60598 Frankfurt        | Germany
+49 (0)178 5352346               | <Markus.Weber at kpn.DE>  | www.kpn.de

KPN EuroRings Germany B.V.       | Niederlassung Frankfurt am Main
Amtsgericht Frankfurt HRB99781   | USt.IdNr. DE 815496855
Geschaeftsfuehrer Jesus Martinez & Pieter Martijn Schelling