On Tue, Jun 30, 2015 at 10:53:45AM -0400, Sandra Murphy wrote: > That sort of AS_PATH filtering would not have helped in this case. > The AS originated the routes, it did not propagate an upstream route. > > So an AS_PATH filter to just its own AS would have passed these > routes. > > You would need origin validation on your outbound routes. Job > suggested prefix filters on outbound routes. (If you are doing prefix > filters on your inbound customer links, it might be excessive caution > to also prefix filter customers prefixes on outbound links? Or is it: > you can never be too careful, belt-and-suspenders, measure twice, > etc?)
I wouldn't consider it to be excessive caution to bring more safeguards to the game, you never know when diarrhea will strike. If you were the network causing a leak of this type, prefix filters on inbound facing your customers might not have prevented this. If you are a network providing transit to the leak originator mentioned in the above paragraph, I believe a prefix based filter could have made a big difference. Kind regards, Job
