SlideShare a Scribd company logo

Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin

MyNOG
MyNOG

Initial Experiences Route Filtering at the Edge AS15169

1 of 23
Download to read offline
Initial Experiences Route Filtering at
the Edge AS15169
Peering Asia 3.0
Arturo Servin / Ray Estrada
It is hard ...
Harder, longer and more complex than we
initially thought.
Summary
AS15169 will start to apply
stricter filters to BGP
announcements on all
peering sessions …
Sometime …
Very soon we hope ..
Why?
● Pretty much self explanatory why routing security
matters, but if you ask me to say …
● Sending/receiving route hijacks, leaks, mitms, etc
hurts
We want to be part of the solution, not the problem
Which problems we want to solve?
My prefixes
announced/leaked by
others
me leaking other’s
prefixes
Others sending
leak/hijacks to me
Others sending
leak/hijacks of others
with impact
This talk is about what AS15169 intends to do here
indirect sessions direct sessions
me
others
PeerLock
(Others)
PeerLock
(me)
Better
Operational
practices
BGP-Filtering sources
IRR, RPKI, <internal TE>
● IRR data for what peers think they will be sending
(Today)
● RPKI data where available to validate IRR data
(Tomorrow)
● Internal TE sources to limit further if required (The
day after tomorrow)

Recommended

BGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt WollnyBGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt WollnyMyNOG
 
Addressing and Routing in 2017
Addressing and Routing in 2017Addressing and Routing in 2017
Addressing and Routing in 2017APNIC
 
AS15169 External Route Filtering
AS15169 External Route FilteringAS15169 External Route Filtering
AS15169 External Route FilteringAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaMyNOG
 

More Related Content

Similar to Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin

Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance NetworkingDhaval Patel
 
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a Service
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a ServiceZeus: Uber’s Highly Scalable and Distributed Shuffle as a Service
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a ServiceDatabricks
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya Indonesia Network Operators Group
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisAlex Henthorn-Iwane
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Network Automation Forum
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]APNIC
 
Scaling Apache Pulsar to 10 Petabytes/Day
Scaling Apache Pulsar to 10 Petabytes/DayScaling Apache Pulsar to 10 Petabytes/Day
Scaling Apache Pulsar to 10 Petabytes/DayScyllaDB
 

Similar to Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin (20)

Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance Networking
 
Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47
 
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a Service
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a ServiceZeus: Uber’s Highly Scalable and Distributed Shuffle as a Service
Zeus: Uber’s Highly Scalable and Distributed Shuffle as a Service
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow Analysis
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesia
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
AS-STATS
AS-STATSAS-STATS
AS-STATS
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)
 
Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
 
Scaling Apache Pulsar to 10 Petabytes/Day
Scaling Apache Pulsar to 10 Petabytes/DayScaling Apache Pulsar to 10 Petabytes/Day
Scaling Apache Pulsar to 10 Petabytes/Day
 

More from MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...MyNOG
 

More from MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
 

Recently uploaded

Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 

Recently uploaded (8)

Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 

Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin

  • 1. Initial Experiences Route Filtering at the Edge AS15169 Peering Asia 3.0 Arturo Servin / Ray Estrada
  • 2. It is hard ... Harder, longer and more complex than we initially thought.
  • 3. Summary AS15169 will start to apply stricter filters to BGP announcements on all peering sessions … Sometime … Very soon we hope ..
  • 4. Why? ● Pretty much self explanatory why routing security matters, but if you ask me to say … ● Sending/receiving route hijacks, leaks, mitms, etc hurts We want to be part of the solution, not the problem
  • 5. Which problems we want to solve? My prefixes announced/leaked by others me leaking other’s prefixes Others sending leak/hijacks to me Others sending leak/hijacks of others with impact This talk is about what AS15169 intends to do here indirect sessions direct sessions me others PeerLock (Others) PeerLock (me) Better Operational practices
  • 6. BGP-Filtering sources IRR, RPKI, <internal TE> ● IRR data for what peers think they will be sending (Today) ● RPKI data where available to validate IRR data (Tomorrow) ● Internal TE sources to limit further if required (The day after tomorrow)
  • 7. Why IRR and not RPKI? ● IRR data is not perfect but it covers more prefixes than RPKI today ● RPKI only provides Origin Validation, we also need “Routing Intent” (i.e. what a peer intents to announce to us or it is allowed to announce) ● We are planning to use RPKI in the near future, but we want to get the first step right
  • 8. Our Strategy ● Notify peers (almost a year by now) ● Clean our IRR data (we need to do what we are asking others to do) and publish our Routing Intent ● Collect, Parse and Process data regularly from IRR repositories ● Parse and place into internal data service and Create per-ASN filter content ● Algorithmically mark prefixes and inform our peers ● Apply changes to network device(s)
  • 9. Routing Intent - Publishing ours ● Make sure our “Routing Intent” is available and correct ● Use of IRR (RADB) and RPKI hosted model ○ Automate and Minimize manual configuration ○ Use of APIs to publish new data to RPKI and IRR ● Work in process
  • 10. Collect, Parse and Process ● Collect data regularly from IRR repositories 1 ● Parse and place into internal data service ● Create per-ASN filter content 1 ALTDB, APNIC, ARIN, BBOI, BELL Canada, CANARIE, EASYNET, HOST, JPIRR, Level3, NESTEGG, NTT, OPENFACE, OTTIX, PANIX, REACH, RADB, RGNET, RIPE, RISQ, ROGERS, TC
  • 11. Apply changes to network devices ● Pilot to a small group of networks ● Measure device impact ● Mark today ● Drop tomorrow
  • 12. Main issues (so far ...) ● Selling the project ● Missing IRR data for a given prefix ○ No object at all (ASN or Route) ○ No routing intent (AS-SET) ○ Duplicated entries ● Parsing AS-SET record ○ AS-SET vs IRR:AS-SET vs ORGNAME::ASN:AS-SET ● Fast and reliable configuration of network devices is hard
  • 14. Total prefixes / Valid - Global
  • 15. Total prefixes / Valid - Global vs APAC
  • 16. Total prefixes / Valid - Global (All)
  • 17. Total prefixes / Valid - APAC per Country CN: 70,487 Avg Announced / 59.12% valid
  • 18. Other interesting findings ● Large transit providers have large number of invalids ○ Most of those are missing customers ASNs in AS-SETs ○ <review if some accept invalid origins, etc.> ●
  • 19. Tools to check your prefix validity ● Google ISP Portal ○ https://isp.google.com/bgp/ ● IRR Explorer NLNOG ○ http://irrexplorer.nlnog.net/ ● RIPE RIS Routing Consistency ○ https://stat.ripe.net/widget/as-routing-consistency
  • 20. BGP View at Google ISP Portal
  • 21. Other lines of work ● Preventing ourselves from being the leaker ● Publishing RPKI data ○ Using RIRs hosted model ○ Working to automate ROA publishing using ARIN’s RPKI system ○ Evaluating to do the same with others RIRs (initially we will do it manually) ● MANRS
  • 22. Final recommendations when peering with AS15169 ● Review the correctness of your ASN, Route and AS-SET objects ● Check that your AS-SET is correctly configured in your PeeringDB record ● Check that everything looks ok (ISP Portal or other online validators)