On Thu, Mar 26, 2015 at 11:26:07PM -0400, ML wrote:
On 3/26/2015 6:20 PM, Nick Rose wrote:
While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Wouldn't it be a BCP to set no-export from the Noction device too?
Sure, but even that might not always prevent the fake paths from leaking to your eBGP neighbors. For instance, not too long ago there was this bug: "Routes learned with the no-export community from an iBGP neighbor are being advertised to eBGP neighbors. This may occur on Cisco ASR 9000 Series Aggregation Services Routers." (don't remember BugID) In other words: it can happen to the best of us. You should not lie to yourself by inserting fake more-specific paths into routing tables. The moment your lies somehow manage to escape into the default-free-zone you are taking other businesses down. Whether the leak is caused by a bug in the router's software or human error, destroying other people's online presence is far beyond acceptable. If the same leak would've happened /without/ the fake more-specifics, it'd still be an issue, but the collateral damage would have been dampened. The leaked paths would have to compete with the normal paths and best-path selectors like as-path length apply. Using software to insert fake more-specific paths into your routing domain should be discouraged and frowned upon. Kind regards, Job