On Mon, 25 Feb 2008, Danny McPherson wrote:
(Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix
filtered, based on RIPE IRR data (with one exception). IPv4 peers'
advertisements seem to be too big a mess, and too long filters, to fix this
way.)
Do you explicitly filter routes from your upstream or transit providers?
E.g., if one were to announce, say, a more specific of one of your
customer's routes to you would you accept it? What about someone
else's address space?
Our own or our singlehomed customers' address space -- we would reject
such an advertisement. The same inbound consistency check applies to
peers and upstreams/transits.
If it's someone else's or a more specific or the same prefix as our
multihomed customers -- we accept it. There isn't anything else we
can do in practise which would not hurt legitimate routing..
It was extremely painful at times, even for us, if we wanted to
advertise new address space we had to update IRR objects and
wait on their nightly push of updated routing policies at ANS. We
generated our own routing policies automatically off our IRR, which
mirrored others as well, and explicitly prefix filtered customers with
some fixed prefix and AS path-based policies applied to peers. If it
became really urgent, then we'd call ANS and have them manually
update their policy, and subsequently 'bounce' the route
announcement to trigger transmission of a new update.
Sounds like a procedure that should be applied today (whether or not
you want to use IRR and/or autogenerated configs is a matter of taste)
but the principle seems sound.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
