At REANNZ we maintain an AS-SET with all our customers. We use this for commodity peering, transit, etc and this is recorded in peeringdb.
However, it doesn't include NREN transit/backup. I don't really want to add NREN transit to that AS-SET as I have no intention of announcing those prefixes to my commodity peers and not including them provides some protection against making a mistake and leaking them.

What I would like to do is maintain a second AS-SET that points to my regular AS-SET as well as the list of NREN AS or AS-SETs I might provide transit to. The problem I see is where to record this? Peeringdb doesn't have a suitable field other than notes. 

Example:
AS-REANNZ-MEMBERS => AS38022,AS38299,...  (used for commodity)
AS-REANNZ-NREN => AS-REANNZ-MEMBERS,AS7575:AS-CUSTOMER,AS6360,...  (used for NREN)

My second thought, where do we record our AS-SET's and other objects?
We currently use RADB because I can create proxy records for my customers who don't generally do a great job of maintaining their own records in APNIC. That said, if I want to push them towards using RPKI they'll need to use APNIC, so maybe the answer isn't to rely on RADB.

Dylan


From: Steven Wallace <ssw@internet2.edu>
Sent: Wednesday, 27 March 2024 2:22 AM
To: routing-wg@lists.gna-g.net <routing-wg@lists.gna-g.net>
Cc: Paul Howell <phowell@internet2.edu>; Ryan Harden <rharden@internet2.edu>; Jeff Bartig <jbartig@internet2.edu>; Chris Wilkinson <cwilkinson@internet2.edu>
Subject: [Routing-wg] looking at published customer cones vs. ground truth..
 
[You don't often get email from ssw@internet2.edu. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Greetings,

Internet2 doesn’t explicitly filter routes it receives from NREN peers. It does apply standard sanity checks, but all legitimate routes are accepted. It is common practice among NRENs to exchange their customers’ routes AND routes heard from other NRENs. Internally, we sometimes refer to the entire collection of NREN routes as ITN (International Transit Network). This practice of offering mutual transit has served the NREN community by providing redundancy and allowing for more sparse interconnection points. For example, Internet2 becomes a transit AS interconnecting networks that land on the east and west coasts of the US.

However, not explicitly filtering routes among the NRENs has downsides. Last week, an NREN unintentionally announced many non-NREN routes to Internet2. The number of routes announced triggered a shutdown of the BGP session, and the increase in Internet2’s route table size caused a network in the US to shut down its peering with Internet2. Explicitly filtering routes received from our NREN peer would have mitigated this incident.

Building a filter based on a peer’s as-cone could be a reasonable standard practice to improve routing security if NRENs only exchanged their customer routes. An approach that might fit our needs better could include a published as-set representing the customer as-cone for each NREN, plus the RPSL (I’m not an RPSL expert, but I assume this is possible) needed to convey which customer and transit routes to accept from a peer.

Another approach might be to maintain an as-cone for the entire ITN, and use that as the basis for a filter. There are approximately 2,600 ASs in the ITN.

I’m not a BGP expert, but I’d like to support a conversation among the NRENs to explore options and, potentially, to recommend best practices to improve our collective routing security while maintaining our transit policies.


I’ve generated some data to spark the conversation. Firstly, I need to say that if Internet2 were in this list, it would show “No AS-SET for Internet2 (AS11537).” We’re reluctant to publish such an as-set as there isn’t a well-understood interpretation of how it would be used among NRENs. If Internet2 published its as-cone via an as-set, would other networks apply prefix filters based on this as-set and reject routes from the other NRENs that are part of the ITN?

Based on routing data from bgp.nsrc.org and sources like the IRRs and peeringdb, here’s a list of NRENs that peer with Internet2, their as-set, and the count of ASs received that fall outside of the as-set.

I’m sure I’ve made errors. Please let me know if you see anything in error.

Steve



AARNET (AS7575) as-set="AS7575:AS-CUSTOMER" count of origins outside customer cone 1 out of 96 origins seen.
        list of origins outside customer cone [10906]
AMPATH (AS20080) as-set="AS-AS20080-TRANSIT" count of origins outside customer cone 6 out of 23 origins seen.
        list of origins outside customer cone [28609, 263076, 262441, 19611, 27676, 263358]
ANKABUT (AS47862) as-set="AS47862" count of origins outside customer cone 9 out of 9 origins seen.
        list of origins outside customer cone [59968, 50602, 58283, 51182, 61137, 47862, 57143, 52216, 50811]
No AS-SET for APAN (AS7660)
CANARIE (AS6509) as-set="AS6509:AS-CANARIE" count of origins outside customer cone 1 out of 150 origins seen.
        list of origins outside customer cone [577]
CEDIA (AS61468) as-set="AS61468:AS-CEDIATRANSITMIEMBROS" count of origins outside customer cone 3 out of 16 origins seen.
        list of origins outside customer cone [27947, 22724, 61468]
CERN (AS513) as-set="AS-CERNEXT" count of origins outside customer cone 0 out of 0 origins seen.
CERNET (AS23911) as-set="AS4538:AS-CUSTOMERS-V6" count of origins outside customer cone 0 out of 0 origins seen.
CSTNET (AS7497) as-set="AS7497:AS-CUSTOMERS" count of origins outside customer cone 0 out of 1 origins seen.
No AS-SET for CUDI (AS18592)
No AS-SET for CUDI (AS28569)
No AS-SET for ENSTINET (AS6879)
GEANT (AS20965) as-set="AS-GEANTNRN" count of origins outside customer cone 57 out of 533 origins seen.
        list of origins outside customer cone [38272, 138369, 138371, 327944, 138378, 327947, 328076, 12812, 328212, 24348, 37661, 24349, 24350, 328224, 328353, 24352, 24353, 24355, 24357, 24358, 37288, 24361, 24362, 24363, 24364, 328752, 24369, 24370, 24371, 327992, 4538, 199354, 329410, 328647, 328648, 328903, 209098, 132553, 11340, 6736, 37074, 328530, 37717, 328662, 328663, 133465, 8670, 49248, 133475, 23910, 21612, 329326, 328054, 328439, 328184, 328702, 24575]
No AS-SET for GOREX (AS35889)
No AS-SET for HBKU (AS34945)
No AS-SET for JGNX (AS17934)
KACST (AS8895) as-set="RIPE::AS8895:AS-KACST" count of origins outside customer cone 0 out of 7 origins seen.
KREONET2 (AS17579) as-set="AS1237:AS-KREONET" count of origins outside customer cone 0 out of 36 origins seen.
No AS-SET for NEAAR (AS396390)
NKN (AS9885) as-set="AS-NIC-NKN-BGP-PEERS" count of origins outside customer cone 2 out of 106 origins seen.
        list of origins outside customer cone [152576, 132124]
NORDUNET (AS2603) as-set="AS-NORDUNET" count of origins outside customer cone 3 out of 154 origins seen.
        list of origins outside customer cone [200264, 9113, 48670]
OMREN (AS206350) as-set="AS206350" count of origins outside customer cone 2 out of 2 origins seen.
        list of origins outside customer cone [28885, 206350]
QFN (AS29384) as-set="AS29384" count of origins outside customer cone 1 out of 1 origins seen.
        list of origins outside customer cone [29384]
REANNZ (AS38022) as-set="RADB::AS-REANNZ-MEMBERS" count of origins outside customer cone 1 out of 32 origins seen.
        list of origins outside customer cone [3477]
REDCLARA (AS27750) as-set="AS27750:AS-MEMBERS" count of origins outside customer cone 37 out of 41 origins seen.
        list of origins outside customer cone [52224, 263683, 262156, 27790, 263186, 264724, 265884, 61476, 28068, 263204, 4270, 61486, 10671, 264630, 61496, 5692, 263235, 52424, 28107, 27981, 28109, 264785, 270033, 27993, 52442, 52314, 264798, 20191, 27875, 265700, 23140, 27750, 27883, 264687, 26610, 27897, 27770]
RNP (AS1916) as-set="RADB::AS-RNP" count of origins outside customer cone 4 out of 79 origins seen.
        list of origins outside customer cone [268744, 61612, 28157, 28222]
SINET (AS2907) as-set="JPIRR::as2907:as-sinet" count of origins outside customer cone 26 out of 122 origins seen.
        list of origins outside customer cone [1921, 18183, 38296, 7577, 7588, 9264, 7472, 17713, 7610, 4538, 4158, 63555, 45259, 3662, 24151, 11096, 7650, 17764, 24302, 38254, 7539, 18422, 137207, 1659, 3836, 4605]
No AS-SET for SINGAREN (AS23864)
No AS-SET for STARLIGHT (AS10764)
SURFNET (AS1103) as-set="AS-SURFNET" count of origins outside customer cone 0 out of 25 origins seen.
TENET (AS2018) as-set="AS-TERTIARY" count of origins outside customer cone 0 out of 5 origins seen.
No AS-SET for TRANSPAC (AS22388)
TWAREN (AS7539) as-set="AS7539:AS-TWAREN" count of origins outside customer cone 0 out of 8 origins seen.
UBUNTUNET (AS36944) as-set="AS-UBUNTUNET" count of origins outside customer cone 1 out of 21 origins seen.
        list of origins outside customer cone [327945]


Steven Wallace
Director - Routing Integrity
Internet2
ssw@internet2.edu
_______________________________________________
Routing-wg mailing list -- routing-wg@lists.gna-g.net
To unsubscribe send an email to routing-wg-leave@lists.gna-g.net