On 31/10/2015 08:19, James Bensley wrote: > Six of one, half a dozen of the other
wait now, step back a sec. On the internet, we care about reachability. Reachability is determined by prefixes. So by inference we care about whether prefixes are legit or not, for some definition of "legit". The AS path is not much more than the distance vector metric for eBGP. The only thing you're using the AS path for is to compare the network distance across multiple upstreams/peers. If there's junk in the as path of one form or another - e.g. weird confed stuff, private intermediate ASNs, upstream monopoly providers doing strange things with customer ASNs, asn typos, as23456, etc - does this make a meaningful statement about the legitimacy of the prefix? I'd say that nuking reachability because an AS path is displeasing was a pretty arbitrary approach to handling reachability hygiene because you have no way of knowing why the AS path is like that and whether that actually means anything. Bear in mind that the leaf ASN loses control of the as path the moment they announce their prefix to their peers / upstreams. Their upstream has full control to update / insert / delete anything in there that they please. I've been at the receiving end of monopoly upstreams doing crazybad dumb stuff with as paths and it's not pretty. It doesn't reflect badly on the legitimacy of the prefix in any way - it's merely a statement that the intermediate network is clueless, but was in the circumstances the only thing which stopped the leaf network from going completely dark for days at a time. If you're going to do this, I'd suggest you measure what prefixes you're cutting out first and try to make some judgement about whether they are legitimate from some other point of view. Maybe it's not going to matter a whole lot, but I'd suspect that you're fixing the wrong problem in terms of tackling prefix origination legitimacy, and in some - perhaps many - cases, you're going to end up punishing leaf networks for third party stupidity which they cannot control. This is apart from ruining your convergence completion time. Nick
