On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
[filtering bogon ASes] But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit. I think, better way is deprioritize bogon routes - this will stop propagation of such routes if there is any alternative and will not affect reachability in other cases.
Hi Alexander, maybe I miss your point, but what would you do if the mentioned transit provider (being DoSed) would "accidently" filter out/suppress announcing its stub network's prefixes? Or start to blackhole them? Mistakes happen, but you can't ask the global community to implement RFC violating workarounds for such incidents. RFC6996 clearly states: Private Use ASNs MUST be removed from AS path attributes (...) before being advertised to the global Internet. Just accepting them with a lower local pref will not make anyone change sometime ... as broken setups would still continue to work. And if the transit provider already "accidently" prepends with private ASNs to his peers ... what would stop him from doing other crazy things (like leaking internally used more specifics of well known CDN providers)? And what would protect the Internet from being hit by this? Filters, but not lowering local-pref. Filtering out prefixes with bogon ASNs in the path is for sure not the biggest security improvement - but every little step helps. Markus -- Darmstaedter Landstrasse 184 | 60598 Frankfurt | Germany +49 (0)178 5352346 | <Markus.Weber@kpn.DE> | www.kpn.de KPN EuroRings Germany B.V. | Niederlassung Frankfurt am Main Amtsgericht Frankfurt HRB99781 | USt.IdNr. DE 815496855 Geschaeftsfuehrer Jesus Martinez & Pieter Martijn Schelling