SlideShare a Scribd company logo

BGP route leak

Thomas Mangin
Thomas Mangin

Tips on how to protect your network against BGP route leak from your BGP peers

TechnologyBusiness
1 of 16
Download to read offline
ROUTE FILTERING: If you accept free beer, expect an hangover Thomas Mangin AS30740 Linx 57, 21st of may 2007
Why I am standing here ? ● First hand experience with a Leak two weeks ago – Sending a full routing table all my linx peers – And transit providers – Since on more leak was announced on the Linx mailing-list – If you dig the linx-ops archive, leak is an industry sport ● Maxed our linx port quickly .. – Traffic mainly going to Level3 – Surely local-preference to blame – ... and peers
What should have happened ● Nothing should have happened – I should have not leaked, but I did .. – Transit providers handled the leak gracefully thanks to filters, as did some peers ● And then NOTHING – The routes should have been filtered inbound – Or max-prefix should have killed the session ● Two layers of protection failed, or were absent, on both side !
Protect yourself and your peers Protect your peers from your leak or be ready ... ● John will have do a repeat of this talk ● Worse, you will spend days with sessions in active (shameless plug to 31 peers out of 138) Protect yourself. ● I will do some maintenance work tomorrow night ● Nobody's perfect .. It only takes a few hours to prevent further leaks. ● If I done it ....
Protect your peers : Identify your transit routes Routes can be identified by and manipulated using: (1) outbound as-path filtering refuse to announce your transit (2) community to decide what to announce (3) prefixes : refuse announce bogons refuse announce small prefixes refuse announce known range (ix, etc.) (4) do not propagate private-asn
as-path filtering -outbound /* define the routes we have learned from transit (example) */ as-path routes-level3 3356.*; as-path routes-sprint 1239.*; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-transit { term remove-path { from { protocol bgp; as-path [ routes-level3 route-sprint ]; } then reject; } } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] export [ no-transit ];
community tagging /* define a communtiy to identify routes learned from transit */ community route-transit members 174:1239; /* create a policy to apply this community to a route */ policy-statement tag-transit { then { community add route-transit; } } /* make sure all routes from transit have that community */ [edit protocols bgp group transit] import [ tag-transit tag-transit-provider-specific ]; (repeat with peers)
community filtering /* define a policy rejecting routes identified as transit */ [edit policy-options] policy-statement export-transit { term remove-peering { from { protocol bgp; community route-transit; } then reject; } term remove-peering ... term remove-community ... term prepend-one-time ... } /* and make sure no linx peer sees it */ [edit protocols bgp group linx] export [ export-peering export-linx ]; Do not do typo with your community definition without (1).. it hurts ..
Those route no-one should have /* match and refuse any route smaller/longer than a /24 */ [edit policy-options] policy-statement no-small-prefixes { from { route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject; } then reject; } /* bogon, rfc1819, etc. */ [edit policy-options] policy-statement no-bogons { from { route-filter 224.0.0.0/4 orlonger reject; ...... } }
Those routes no-one should have /* Linx LAN */ policy-statement no-ix { from { route-filter 195.66.224.0/22 orlonger reject; } then reject; } /* should never get in or out */ [edit protocols bgp group linx] export [ no-small-prefixes no-ix no-bogons ]; import [ no-small-prefixes no-ix no-bogons ];
Protect yourself Do not trust your peer /mainly/ if you are peering with me: (1) use max-prefix to limit the number of route a peer can send you it is cheap, fast and works (2) refuse route with an as-path .. of a “T1” coming from peers of your customers from peer or transit with reserved ASN (3) Create inbound route filters
Max-Prefix Max-prefix will shutdown a session should the ebgp speaker send you more than a predefined number of routes (was it necessary to say it ?) neighbor 195.66.224.xxx { description "AS-ACCEPTED | Peer name | noc@peer.co.uk | AS-SENT"; family inet { unicast { prefix-limit { maximum 150; teardown 80; } } } peer-as 1234; }
as-path filtering -outbound /* define the routes you will never see through peers */ as-path leaked-sprint ".{1,}1239.*"; as-path leaked-telia ".{1,}1299.*"; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-leak { term remove-path { from { protocol bgp; as-path [ leaked-telia leaked-spring ]; } then reject; } } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] import [ no-leak ];
as-path filtering outbound Limitations : On cisco this works great as the count is performed on prefix accepted On juniper not as good the counting is done on prefix received (before any kind of filtering) Please push for this feature request to your SE : http://juniper.cluepon.net/index.php/ER_BGP_Prefix_limit_enhancements
Filter on IRR DB Some tools exist to help with the generation of filter based on the content of the IRR DB (RIPE, ARIN, etc.) http://irrpt.sourceforce.net/ Gather and Track prefix within AS-Macro.
Conclusion Renesys BGP white paper, Everything I said but in plain understandable english http://www.renesys.com/tech/white_papers/WP_BGP_rev6.pdf For those of you who prefer cisco talks http://www.apnic.org/meetings/15/tutorials/index.html

Recommended

Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddosPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
16 bgp
16 bgp16 bgp
16 bgpTCT
 
Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)NYversity
 

Recommended

Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddosPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
16 bgp
16 bgp16 bgp
16 bgpTCT
 
Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)NYversity
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 
Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routingnewbie2019
 
Bgp
BgpBgp
BgpGolak Nayak
 
Week14 lec2
Week14 lec2Week14 lec2
Week14 lec2syedhaiderraza
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithmsMoctardOLOULADE
 
Quick Guide Ip Routing
Quick Guide Ip RoutingQuick Guide Ip Routing
Quick Guide Ip RoutingCCNAResources
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
11 bgp-ethernet
11 bgp-ethernet11 bgp-ethernet
11 bgp-ethernetOlivier Bonaventure
 
Raj Jain The Ohio State University
Raj Jain The Ohio State UniversityRaj Jain The Ohio State University
Raj Jain The Ohio State UniversityVideoguy
 
Chapter_3_v8.1.pdf
Chapter_3_v8.1.pdfChapter_3_v8.1.pdf
Chapter_3_v8.1.pdfLNhi89
 
Session 3
Session 3Session 3
Session 3ahmed elmeghiny
 
Bgp
BgpBgp
BgpSatheesh Kirupai
 
Lec7
Lec7Lec7
Lec7Sanjeeva Perera
 
Network layer computer networks
Network layer computer networksNetwork layer computer networks
Network layer computer networksAKASHBAJWA
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)CCNAResources
 
Routing protocols
Routing protocolsRouting protocols
Routing protocolsN.Jagadish Kumar
 
Bigbgp
BigbgpBigbgp
Bigbgptushar sharda
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Wrou01
Wrou01Wrou01
Wrou01tanawan44
 
LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?Thomas Mangin
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 

More Related Content

Similar to BGP route leak

Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routingnewbie2019
 
Quick Guide Ip Routing
Quick Guide Ip RoutingQuick Guide Ip Routing
Quick Guide Ip RoutingCCNAResources
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Raj Jain The Ohio State University
Raj Jain The Ohio State UniversityRaj Jain The Ohio State University
Raj Jain The Ohio State UniversityVideoguy
 
Chapter_3_v8.1.pdf
Chapter_3_v8.1.pdfChapter_3_v8.1.pdf
Chapter_3_v8.1.pdfLNhi89
 
Network layer computer networks
Network layer computer networksNetwork layer computer networks
Network layer computer networksAKASHBAJWA
 
Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)CCNAResources
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 

Similar to BGP route leak (20)

Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routing
 
Bgp
BgpBgp
Bgp
 
Week14 lec2
Week14 lec2Week14 lec2
Week14 lec2
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithms
 
Quick Guide Ip Routing
Quick Guide Ip RoutingQuick Guide Ip Routing
Quick Guide Ip Routing
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
11 bgp-ethernet
11 bgp-ethernet11 bgp-ethernet
11 bgp-ethernet
 
Raj Jain The Ohio State University
Raj Jain The Ohio State UniversityRaj Jain The Ohio State University
Raj Jain The Ohio State University
 
Chapter_3_v8.1.pdf
Chapter_3_v8.1.pdfChapter_3_v8.1.pdf
Chapter_3_v8.1.pdf
 
Session 3
Session 3Session 3
Session 3
 
Bgp
BgpBgp
Bgp
 
Lec7
Lec7Lec7
Lec7
 
Network layer computer networks
Network layer computer networksNetwork layer computer networks
Network layer computer networks
 
6.Routing
6.Routing6.Routing
6.Routing
 
Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)Building Scalable Cisco Internetworks (Bsci)
Building Scalable Cisco Internetworks (Bsci)
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
Bigbgp
BigbgpBigbgp
Bigbgp
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 
Wrou01
Wrou01Wrou01
Wrou01
 

More from Thomas Mangin

LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?Thomas Mangin
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service providerThomas Mangin
 
IXLeeds 2 Technical Update
IXLeeds 2 Technical UpdateIXLeeds 2 Technical Update
IXLeeds 2 Technical UpdateThomas Mangin
 

More from Thomas Mangin (10)

LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
 
VOIP QOS
VOIP QOSVOIP QOS
VOIP QOS
 
Naked BGP
Naked BGPNaked BGP
Naked BGP
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
 
ExaProxy
ExaProxyExaProxy
ExaProxy
 
ScavengerEXA
ScavengerEXAScavengerEXA
ScavengerEXA
 
AS-STATS
AS-STATSAS-STATS
AS-STATS
 
IXLeeds 2 Technical Update
IXLeeds 2 Technical UpdateIXLeeds 2 Technical Update
IXLeeds 2 Technical Update
 
IXLeeds
IXLeeds IXLeeds
IXLeeds
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

BGP route leak

  • 1. ROUTE FILTERING: If you accept free beer, expect an hangover Thomas Mangin AS30740 Linx 57, 21st of may 2007
  • 2. Why I am standing here ? ● First hand experience with a Leak two weeks ago – Sending a full routing table all my linx peers – And transit providers – Since on more leak was announced on the Linx mailing-list – If you dig the linx-ops archive, leak is an industry sport ● Maxed our linx port quickly .. – Traffic mainly going to Level3 – Surely local-preference to blame – ... and peers
  • 3. What should have happened ● Nothing should have happened – I should have not leaked, but I did .. – Transit providers handled the leak gracefully thanks to filters, as did some peers ● And then NOTHING – The routes should have been filtered inbound – Or max-prefix should have killed the session ● Two layers of protection failed, or were absent, on both side !
  • 4. Protect yourself and your peers Protect your peers from your leak or be ready ... ● John will have do a repeat of this talk ● Worse, you will spend days with sessions in active (shameless plug to 31 peers out of 138) Protect yourself. ● I will do some maintenance work tomorrow night ● Nobody's perfect .. It only takes a few hours to prevent further leaks. ● If I done it ....
  • 5. Protect your peers : Identify your transit routes Routes can be identified by and manipulated using: (1) outbound as-path filtering refuse to announce your transit (2) community to decide what to announce (3) prefixes : refuse announce bogons refuse announce small prefixes refuse announce known range (ix, etc.) (4) do not propagate private-asn
  • 6. as-path filtering -outbound /* define the routes we have learned from transit (example) */ as-path routes-level3 3356.*; as-path routes-sprint 1239.*; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-transit { term remove-path { from { protocol bgp; as-path [ routes-level3 route-sprint ]; } then reject; } } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] export [ no-transit ];
  • 7. community tagging /* define a communtiy to identify routes learned from transit */ community route-transit members 174:1239; /* create a policy to apply this community to a route */ policy-statement tag-transit { then { community add route-transit; } } /* make sure all routes from transit have that community */ [edit protocols bgp group transit] import [ tag-transit tag-transit-provider-specific ]; (repeat with peers)
  • 8. community filtering /* define a policy rejecting routes identified as transit */ [edit policy-options] policy-statement export-transit { term remove-peering { from { protocol bgp; community route-transit; } then reject; } term remove-peering ... term remove-community ... term prepend-one-time ... } /* and make sure no linx peer sees it */ [edit protocols bgp group linx] export [ export-peering export-linx ]; Do not do typo with your community definition without (1).. it hurts ..
  • 9. Those route no-one should have /* match and refuse any route smaller/longer than a /24 */ [edit policy-options] policy-statement no-small-prefixes { from { route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject; } then reject; } /* bogon, rfc1819, etc. */ [edit policy-options] policy-statement no-bogons { from { route-filter 224.0.0.0/4 orlonger reject; ...... } }
  • 10. Those routes no-one should have /* Linx LAN */ policy-statement no-ix { from { route-filter 195.66.224.0/22 orlonger reject; } then reject; } /* should never get in or out */ [edit protocols bgp group linx] export [ no-small-prefixes no-ix no-bogons ]; import [ no-small-prefixes no-ix no-bogons ];
  • 11. Protect yourself Do not trust your peer /mainly/ if you are peering with me: (1) use max-prefix to limit the number of route a peer can send you it is cheap, fast and works (2) refuse route with an as-path .. of a “T1” coming from peers of your customers from peer or transit with reserved ASN (3) Create inbound route filters
  • 12. Max-Prefix Max-prefix will shutdown a session should the ebgp speaker send you more than a predefined number of routes (was it necessary to say it ?) neighbor 195.66.224.xxx { description "AS-ACCEPTED | Peer name | noc@peer.co.uk | AS-SENT"; family inet { unicast { prefix-limit { maximum 150; teardown 80; } } } peer-as 1234; }
  • 13. as-path filtering -outbound /* define the routes you will never see through peers */ as-path leaked-sprint ".{1,}1239.*"; as-path leaked-telia ".{1,}1299.*"; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-leak { term remove-path { from { protocol bgp; as-path [ leaked-telia leaked-spring ]; } then reject; } } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] import [ no-leak ];
  • 14. as-path filtering outbound Limitations : On cisco this works great as the count is performed on prefix accepted On juniper not as good the counting is done on prefix received (before any kind of filtering) Please push for this feature request to your SE : http://juniper.cluepon.net/index.php/ER_BGP_Prefix_limit_enhancements
  • 15. Filter on IRR DB Some tools exist to help with the generation of filter based on the content of the IRR DB (RIPE, ARIN, etc.) http://irrpt.sourceforce.net/ Gather and Track prefix within AS-Macro.
  • 16. Conclusion Renesys BGP white paper, Everything I said but in plain understandable english http://www.renesys.com/tech/white_papers/WP_BGP_rev6.pdf For those of you who prefer cisco talks http://www.apnic.org/meetings/15/tutorials/index.html