nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Andrey Kostin <ankost () podolsk ru>
Date: Thu, 23 Apr 2020 12:31:17 -0400
Christopher Morrow писал 2020-04-22 14:05:
a question about the data types here... So, a neighbor with no downstream ASN could be filtered directly with ROA == prefixlist-content. A neighbor with a downstream ASN has to be ROA (per asn downstream) == prefixlist-content. So you'd now have to do some calculations which are more complicated than just; "is roa for this prefix here and valid" to construct a prefix-list. correct?Sorry, and this sidesteps the intent of the peer as well. For instance you may have a peer with 2 'downstream' asn, only 1 of which they wish to provide transit to you (from you?) for... how would you know this intent/policy from the peer's perspective? today you know that (most likely) from IRR data. is your answer ASPA / AS-Cone ?
ASPA/As-Cone is a concept about whole as-path verification afaik, but I may be mistaken. ROA validation prevents hijacking but doesn't prevent route-leaks. If my transit providers already do ROV, effect of doing it in local network will be limited to direct peers only and expected to be considerably small. For route-leaks prevention we still have to rely on IRR and filters configured directly on routers. Maintaining filters on routers is quite intensive task and they took a lot of space in the configuration. Adopting validation or similar mechanism for it could make it more dynamic and less resources-consuming. Or maybe I'm trying to invent a bicycle?
Kind regards, Andrey
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Danny McPherson (Apr 22)
- Re: "Is BGP safe yet?" test Warren Kumari (Apr 22)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Jay R. Ashworth (Apr 22)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 22)
- Re: "Is BGP safe yet?" test Danny McPherson (Apr 22)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 22)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 22)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 23)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 22)
- Re: "Is BGP safe yet?" test Vincent Bernat (Apr 22)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 23)