Strict route filtering at IX?
Hi NANOGers, tl;dr What is the best practice for filtering a large number of prefixes at an internet exchange? Yesterday I ran into problems while writing new filtering rules for my peerings at a local Exchange. My workflow probably has a flaw, although it works fine for IPv6 (well, less prefixes there). After the physical link was set up I startet a BGP session with the route server of the exchange. A few minutes later some other AS imported my prefix, e.g. those listed at HE[1]. I guess they filtered "less strict" :) The next day the exchange's route server administrator added my AS-SET to the AS-SET of the route server. --- snip RIPE DB --- as-set: AS-KLEYREX-RS1 descr: KleyReX Internet Exchange Frankfurt [...] members: AS-NONATTACHED --- snap --- A few days have passed since then but the number of peers has not increased as expected. Is this normal? My mp-* entries look like this: --- snip RIPE DB --- aut-num: AS57821 as-name: NONATTACHED-AS [...] mp-import: afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1 mp-export: afi ipv4.unicast to AS31142 announce AS-NONATTACHED --- snap --- Yesterday I thought about importing the route servers prefixes and, of course, to filter them. Using rtconfig[2] I created a filter for BIRD[3] like this: --- snip bird.conf --- if (prefix_too_long()) then reject; @rtconfig printPrefixes "if (net ~ [ %p/%l+ ]) then accept;\n" filter AS-KLEYREX-RS1 reject; --- snap --- This takes about 10-20 minutes and results in an very large config file constiting of hundreds of prefixes in IPv4. The same config file for IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so I need to filter it somehow. BIRD sometimes segfaults when it is advised to read those large filters. So, here's the question: How do you filter at exchanges? Where is the error in my workflow? Is strict route filtering a myth? Thanks for helping! Dan [1] http://bgp.he.net/AS57821#_peers [2] http://irrtoolset.isc.org/wiki/RtConfig [3] http://bird.network.cz
I use a mixture of BGP communities and prefix lists and it scales very well for me . Rgds Peter, Sent from my Asus Transformer Pad On Dec 12, 2012 3:24 AM, "Dan Luedtke" <mail@danrl.de> wrote:
Hi NANOGers,
tl;dr What is the best practice for filtering a large number of prefixes at an internet exchange?
Yesterday I ran into problems while writing new filtering rules for my peerings at a local Exchange. My workflow probably has a flaw, although it works fine for IPv6 (well, less prefixes there).
After the physical link was set up I startet a BGP session with the route server of the exchange. A few minutes later some other AS imported my prefix, e.g. those listed at HE[1]. I guess they filtered "less strict" :) The next day the exchange's route server administrator added my AS-SET to the AS-SET of the route server.
--- snip RIPE DB --- as-set: AS-KLEYREX-RS1 descr: KleyReX Internet Exchange Frankfurt [...] members: AS-NONATTACHED --- snap ---
A few days have passed since then but the number of peers has not increased as expected. Is this normal? My mp-* entries look like this:
--- snip RIPE DB --- aut-num: AS57821 as-name: NONATTACHED-AS [...] mp-import: afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1 mp-export: afi ipv4.unicast to AS31142 announce AS-NONATTACHED --- snap ---
Yesterday I thought about importing the route servers prefixes and, of course, to filter them. Using rtconfig[2] I created a filter for BIRD[3] like this:
--- snip bird.conf --- if (prefix_too_long()) then reject; @rtconfig printPrefixes "if (net ~ [ %p/%l+ ]) then accept;\n" filter AS-KLEYREX-RS1 reject; --- snap ---
This takes about 10-20 minutes and results in an very large config file constiting of hundreds of prefixes in IPv4. The same config file for IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so I need to filter it somehow. BIRD sometimes segfaults when it is advised to read those large filters.
So, here's the question: How do you filter at exchanges? Where is the error in my workflow? Is strict route filtering a myth?
Thanks for helping!
Dan
[1] http://bgp.he.net/AS57821#_peers [2] http://irrtoolset.isc.org/wiki/RtConfig [3] http://bird.network.cz
On 12.12.2012 12:22, Dan Luedtke wrote:
So, here's the question: How do you filter at exchanges?
Afaik BCP is to not prefix- as-path/origing-filtering well maintained routeservers at an IXP but simply put in max prefix limits. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 5593407 2 mobile: +49 172 2650958 fax: +49 6224 5593407 9
Hi, Dan -- On 12/12/2012 11:22, "Dan Luedtke" <mail@danrl.de> wrote:
So, here's the question: How do you filter at exchanges? Where is the error in my workflow? Is strict route filtering a myth?
You can see if the route-servers at the IX already filter. For example, this is the case at LONAP, where strict filters against RADB are built. Networks with open policy and large numbers of peers will naturally find it hard to filter peer *prefixes* on session config, because as you have found the config quickly becomes large and unwieldy. As Arnold has said, filtering with max-prefix and AS-path is more common on bilateral sessions. My advice would be to encourage your IX operator to filter on the route-servers, and rely on MLP derived adjacency for networks that you want to peer with, but don't trust enough not to prefix-filter. Andy
participants (4)
-
Andy Davidson -
Arnold Nipper -
Dan Luedtke -
Peter Ehiwe