On 4/Nov/15 10:42, James Bensley wrote:
> > Are you suggesting that people shouldn't filter as-paths? Presumably > you wouldn't be that stupid so I'll assume not,... > Well, the end goal is filtering of prefixes. AS_PATH filters, like BGP communities, are just a way to identify those prefixes in the first place. We, for example, use standard prefix lists for peering and transit sessions. That cuts out a lot of junk. If we use AS_PATH filters, is to do traffic engineering mostly, and not to drop routes. On the other hand, we do use both prefix + AS_PATH filters when activating downstream customers as a standard rule. This avoids Pakistan/PCCW/Youtube issues, as you know. max-prefix limits + prefix lists on peering sessions is very powerful. There are only a handful of peers, globally, who would be sending you too many routes to consider anything other than this filtering pair, IMHO. > so yes whilst people can still send funky AS paths the same is true > for any BGP attribute, all I need is to receive a value out of range > for the code I'm running and/or receive a malford NLRI to trigger a > router OS bug and, pop! > Agree - but, also, don't run old code. > Surely at least trying to protect your own network is better than not > trying given how easy it is to implement AS paths filters? > In your peering and transit prefix lists, include your own prefixes as a reject. Don't need an AS_PATH filter for that... Mark.
