On Tue, Jun 30, 2015 at 10:53:45AM -0400, Sandra Murphy wrote:
That sort of AS_PATH filtering would not have helped in this case. The AS originated the routes, it did not propagate an upstream route.
So an AS_PATH filter to just its own AS would have passed these routes.
You would need origin validation on your outbound routes. Job suggested prefix filters on outbound routes. (If you are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers prefixes on outbound links? Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?)
I wouldn't consider it to be excessive caution to bring more safeguards to the game, you never know when diarrhea will strike. If you were the network causing a leak of this type, prefix filters on inbound facing your customers might not have prevented this. If you are a network providing transit to the leak originator mentioned in the above paragraph, I believe a prefix based filter could have made a big difference. Kind regards, Job