NTAC Peering Working Group

[Chris Robb <>]

Hi Steve. We have a few safeguards that would prevent this on our International and Federal peelings. 

Before I describe those, it's important for everyone to recognize that domestically, all of our connectors have explicit prefix lists, so anything beyond the approved set of participant routes would be rejected immediately. 

On our R&E peer connections to international and federal networks, we don't have the luxury of having an explicit prefix list available to us. So, each peer is configured with a default limit of 3,000 routes. There was some NTAC discussion (2008?), about creating different tiers to that number so that our smaller peers get a more tightened limit and the larger ones might get something higher. As it stands, we might place an exception in place for a network like GEANT, but the limits are very close to what they advertise today. 

The second safeguard is a commercial AS number sanity filter. It contains most of the large commercial networks. Anything with that appearing in the BGP advertisement AS path will be rejected before hitting the routing table. 

We've talked at times about implementing AS-path filtering for our peers and using the routing registries to harden this up a bit. We might revisit that as part of this. 

-Chris

-- 

Chris Robb, Internet2 Director of Operations and Engineering

O: 812.855.8604  C: 812.345.3188

****************

Visit our website: www.internet2.edu

Follow us on Twitter: www.twitter.com/internet2

Become a Fan on Facebook: www.internet2.edu/facebook

On Jan 5, 2013, at 12:20 PM, Steven Wallace <> wrote:

Hans, it possible that the NLR leak was accepted by I2's international peers, then I2 accepted these being re-advertised by the International peers (until the peers were shut down as they exceeded their prefix limits)? That would explain how I2 may have participated in the leakage.

steven

On 1/4/13 5:41 PM, "Hans Addleman" <> wrote:

Hi Bill,

Apologies for the late response.

Internet2 routers during this time dropped many of our bgp sessions with
international peers that were affected by the route leakage. All of our
International peerings are safeguarded by prefix limits and we saw a
number of them go down as they went over this limit.

As Dale stated we do not peer directly with NLR and we do not believe
that we perpetuated this leakage. However, if you or anyone does find
evidence that we did please share and I will investigate further.

Currently the NOC is pulling together a list of which peers we saw drop
during this outage due to prefix limit exceeded.

Our current limit for all International peers is set at 4000.

Thanks!
Hans Addleman
IU Global NOC Engineer