ntacpeering - Internet2 I2PX publishing AS-SET for peers to use for route filtering
Subject: NTAC Peering Working Group
List archive
- From: Jeff Bartig <>
- To: NTAC <>
- Cc: , "" <>
- Subject: Internet2 I2PX publishing AS-SET for peers to use for route filtering
- Date: Tue, 28 Jul 2020 11:19:47 -0500
NTAC Members, Wednesday evening (7/29) I plan to update the PeeringDB.com record for I2PX/AS11164 to include an AS-SET. This was announced on this months NTAC call and discussed at last week's NTAC Peering/Routing WG call. There have been numerous NTAC discussions on this topic over the past year, and we've finally reached a point where we need to take this final step. The Internet2 community has made good efforts towards having all of our routes properly documented in Internet Routing Registries (IRRs) and Google has announced that they are about to start using this data for filtering routes from their BGP peers. The I2PX AS-SET is AS11164:AS-ALL. This is a simple AS-SET that contains just two member AS-SETs, AS-INTERNAL (Internet2 ASNs) and AS-PARTICIPANTS. The AS-PARTICIPANTS AS-SET contains an AS-SET for each Internet2 I2PX participant that has a direct BGP neighbor with I2PX/AS11164. If your network or campus is downstream of one of these direct BGP participants, your ASN should be included in their AS-SET. https://www.radb.net/query?advanced_query=&keywords=as11164%3Aas-all https://www.radb.net/query?advanced_query=&keywords=as11164%3Aas-participants While Google filtering routes has been a significant new incentive for accurate IRR data, IRR data is already used by many other networks to filter routes they learn from peers. Since I2PX hasn't had an AS-SET published for its peers to use, it is possible that some peers have been filtering/rejecting all I2PX routes while others are not currently doing prefix filtering. Over the days after the I2PX AS-SET appears in PeeringDB, these networks will likely discover and start using it for filtering. Some peers may start accepting routes from I2PX for the first time, while others may start dropping some undocumented I2PX routes for the first time. For properly documented prefixes, this could result in some traffic shifting from paid transit to I2PX peering. For prefixes still not properly documented with a ROUTE/ROUTE6 object, this could result in traffic shifting from I2PX peering to paid transit. Google plans to initially just report on the action they might take with I2PX routes before they start filtering, so I don't expect any immediate change in Google traffic. Steve Wallace and I have had many outreach calls and emails with the community to help improve IRR adoption and accuracy. Steve's latest analysis shows that we've reached a point where 97% of the prefixes participants announce to I2PX either explicitly match a ROUTE/ROUTE6 object in an IRR or at least match an aggregate ROUTE/ROUTE6 object. This is the requirement set by Google for the filtering they they plan to initially deploy. They will be accepting longer matches. There is no standard approach for filtering. Some networks do require explicit matches and will drop more specific advertisements that don't have a ROUTE/ROUTE6 object. An example of a network with strict filtering is Hurricane Electric. Two weeks ago, I2PX communicated our AS-SET to Hurricane via our AUT-NUM object. Hurricane is filtering more specific routes from I2PX that don't have matching IRR ROUTE/ROUTE6 objects. Hurricane does go a little further than many networks and merges in RPKI ROA data and will accept ROA valid prefixes that are missing their IRR data. Most networks don't do this, though, so even if you are using RPKI ROAs, you should still keep your IRR data up to date. Hurricane has a web portal where they make their route filtering results available. You can see the results by clicking on the links under the REASONS column. Currently, almost 1400 I2PX participant prefixes are being dropped by Hurricane, which are primarily more specific prefixes of accepted aggregate routes. Networks should be documenting their more specific advertisements in an IRR, if they want to make sure they get accepted by peers. https://routing.he.net/?cmd=search&pattern=11164 Steve has been providing reports to Internet2 Connectors and any Internet2 network participants that have direct BGP neighbors with I2PX/AS11164. We are happy to provide updated reports if anyone needs them to check on the status of their prefixes in the IRR data. Hurricane's reports above can also be used to see how an ISP might view your IRR data. IRRExplorer has also been a useful tool: http://irrexplorer.nlnog.net/ If you have questions or need assistance with your IRR records, Steve and I are happy to help out. Just email . Steve has collected together information and links from our past community events related to IRR: https://bit.ly/2kvcq7y The NTAC IRR working group has both a mailing list and slack channel. Details about joining are in document above. Jeff |
- Internet2 I2PX publishing AS-SET for peers to use for route filtering, Jeff Bartig, 07/28/2020
Archive powered by MHonArc 2.6.19.