Thanks Robert. I did it without using ios-regex or other time consuming string conversion stuff. Still, this method cannot scale to cover every one of several thousand AS neighbors that some ISPs have. IOS cannot handle that many as-path access-lists. I can see that the simple rule of "do not allow peer routes from a customer" doesn't cut it, because some tier-1's have a lot of customers with over 10000 routes each. My filters will certainly cover all the major peers as well as major customers of ISPs. I included a limit on the number of policies to write: so that it will just get the major ones. Also, if a routing table includes leaks, then the resulting policies will continue to allow the leaks. Also, some of the filters may need to add some upstreams that are not in the table of the day. Basically, it is a start that may require a bit of tweaking. I have a better idea of what to commit to the IOS. It will be far more efficient, but I want to gauge interest first.
Jakob. From: [email protected] [mailto:[email protected]] On Behalf Of Robert Raszuk Sent: Friday, May 05, 2017 3:27 PM To: Jakob Heitz (jheitz) <[email protected]> Cc: [email protected] Subject: Re: [GROW] [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard Hi Jakob, This is really great and exactly what I had in mind when proposed auto-policy based on AS_PATH check. Can you commit it to IOS so it is build-in with a knob to use ? Cheers, R. On Sat, May 6, 2017 at 12:09 AM, Jakob Heitz (jheitz) <[email protected]<mailto:[email protected]>> wrote: Even if violating router-os's are updated, leaks will continue for a long time. I hope I can help on the filtering side. No RFC or vendor code change required. I wrote an app in C that takes the output of "show bgp" and creates a set of route-policies that will prevent the leaks. It looks at the as-paths, finds your neighbors and then all their upstreams. Then it writes as-path policies to allow only those upstreams for your neighbors. You then use the policy in your neighbor inbound policies to either drop or set a low localpref. There is a way to show the routes that are disallowed. Sorry, it only works with Cisco. The source is free for anyone to do whatever they want. Other vendors can adapt it at will. Compile it at a Linux command line; "cc showbgp2policy.c". Sorry about the C, but python is not my mother tongue. Start with num_policies of 30 and see how it looks. Thanks, Jakob. _______________________________________________ GROW mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/grow
_______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
