Ryan Hamel wrote on 06/12/2024 17:32:
That said, I can argue that upstreams not filtering their customers properly removes a safety guard, upstreams not implementing RPKI removes a safety guard, not properly prepending communities on synthetic routes to drop them on export again removes a safety guard. I can go on...
There's a fundamental difference. Not filtering customers properly fails to implement a safety guard that should have been implemented. Not implementing RPKI fails to implement an additional safety guard. Not properly prepending communities fails to implement an additional safety guard. Rewriting the AS path removes a core descriptive component of NLRIs inherent in the BGP protocol which is critical to implementing other safety guards. Including - as an example of only of the harmful effects of this practice - the ability for the upstream to automatically drop all routes which you just reflected back to it, having just rewritten the AS path to remove their ASN and rewrite the NHIP, because bgp loop-free routing requires this by default in the protocol. When you drop core safety components, accidents are more likely to happen.
Where this statement falls short is, those are all regulated by building codes, laws, etc. No laws exist dictating how BGP, routing protocols in general, and topologies must be implemented, nor what safety guidelines must be adhered to.
The normal progression of many technologies ends in regulation. We already have regulation which covers bgp inter-domain routing security in the EU, and I'd be surprised if it wasn't going to happen in other jurisdictions in due course. In the US, warning shots have already been fired by the white house:
https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-I...
This style of document should be taken as notification that interdomain routing security is fresh on the table of regulatory bodies in the US. Nick