[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBGPD: filter bogus AS...



On Sun, Jul 17, 2005 at 03:01:08PM +0200, Xavier Beaudouin wrote:
> Le 17 juil. 05 ` 14:14, Claudio Jeker a icrit :
> 
> >On Sat, Jul 16, 2005 at 08:23:17PM +0200, Henning Brauer wrote:
> >
> >>* Xavier Beaudouin <kiwi_(_at_)_oav_(_dot_)_net> [2005-07-16 20:04]:
> >>
> >>>I wish to add a filter to avoid that bogus AS that should be  
> >>>reserved
> >>>for private network to be accepted by my router.
> >>>
> >>>The problem is that :
> >>>
> >>># filter bogus AS
> >>>allow from any AS { 64512, 65534 } set nexthop blackhole
> >>>
> >>>Doesn't allow ranges... Is there any better way to handle such  
> >>>setup ?
> >>>
> >>
> >>no, but adding ranges might be a good idea...
> >>
> >>
> >
> >Btw. you don't want to do that because there are some valid  
> >networks that
> >have reserved AS numbers in their path.
> 
> Hum...
> 
> ># bgpctl show rib | grep "65[0-9][0-9][0-9]" | awk '{print $2}'
> >194.146.116.0/24
...
> >216.217.68.0/22
> 
> Strange I have more subnet than you :
> 
> 64.146.96.0/24
...
> 216.217.68.0/22
> 

That's not strange, you have a different view of the internet and so other
pathes are choosen. I think there are a few transit providers that use
some sort of confederations but fail to configure their network properly.

> >I don't know why you want to filter them out. Unless you are using  
> >these
> >AS yourself internally -- in that case you should probably block the
> >specific AS.
> 
> This is already done on myself :)
> 
> >IMO having AS number ranges does not make that much sense -- there is
> >almost no policy on AS number allocation.
> 
> Very strange. I got mine from ripe.net and they were very picky about  
> that... :p
> 

There is a difference in the policy for getting a AS number and the policy
behind the number. It is important that RIPE and the others are picky
about giving out AS numbers because these will run out soon (64512 is the
max and soon 40000 AS nums will be given away). Switching from a 16bit number
to something else is a tough job -- hopefully they don't mess it up as
with IPv6.

> But it is sure that this is maybe not needed for "security" purposes :)
> 

Actually BGP has nothing to do with "security", the filtering is mostly
there to fix stupid errors others are doing and especially to engineer
your network traffic.

-- 
:wq Claudio



Visit your host, monkey.org