2:29 p.m.
Back in the darkness of time when I was at AARNet I used RPSL
hierarchically named AS sets, eg AS7575:AS-CUSTOMER, AS7575:AS-PEER,
AS7575:AS-RESEARCH, to collect together the ASNs of those categories of
peer ASes. That was mainly used to describe the policy in the aut-num
object rather than produce filters as I used community tags for export
of routes. You could use the comments field of the aut-num object to
describe any peer sets you maintain.
Mark.
On 27/3/2024 10:38, Dylan Hall wrote:
At REANNZ we maintain an AS-SET with all our
customers. We use this for
commodity peering, transit, etc and this is recorded in peeringdb.
However, it doesn't include NREN transit/backup. I don't really want to
add NREN transit to that AS-SET as I have no intention of announcing
those prefixes to my commodity peers and not including them provides
some protection against making a mistake and leaking them.
What I would like to do is maintain a second AS-SET that points to my
regular AS-SET as well as the list of NREN AS or AS-SETs I might provide
transit to. The problem I see is where to record this? Peeringdb doesn't
have a suitable field other than notes.
Example:
AS-REANNZ-MEMBERS => AS38022,AS38299,... (used for commodity)
AS-REANNZ-NREN => AS-REANNZ-MEMBERS,AS7575:AS-CUSTOMER,AS6360,... (used
for NREN)
My second thought, where do we record our AS-SET's and other objects?
We currently use RADB because I can create proxy records for my
customers who don't generally do a great job of maintaining their own
records in APNIC. That said, if I want to push them towards using RPKI
they'll need to use APNIC, so maybe the answer isn't to rely on RADB.
Dylan
------------------------------------------------------------------------
*From:* Steven Wallace <ssw(a)internet2.edu>
*Sent:* Wednesday, 27 March 2024 2:22 AM
*To:* routing-wg(a)lists.gna-g.net <routing-wg(a)lists.gna-g.net>
*Cc:* Paul Howell <phowell(a)internet2.edu>; Ryan Harden
<rharden(a)internet2.edu>; Jeff Bartig <jbartig(a)internet2.edu>; Chris
Wilkinson <cwilkinson(a)internet2.edu>
*Subject:* [Routing-wg] looking at published customer cones vs. ground
truth..
[You don't often get email from ssw(a)internet2.edu. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification
<https://aka.ms/LearnAboutSenderIdentification> ]
Greetings,
Internet2 doesn’t explicitly filter routes it receives from NREN peers.
It does apply standard sanity checks, but all legitimate routes are
accepted. It is common practice among NRENs to exchange their customers’
routes AND routes heard from other NRENs. Internally, we sometimes refer
to the entire collection of NREN routes as ITN (International Transit
Network). This practice of offering mutual transit has served the NREN
community by providing redundancy and allowing for more sparse
interconnection points. For example, Internet2 becomes a transit AS
interconnecting networks that land on the east and west coasts of the US.
However, not explicitly filtering routes among the NRENs has downsides.
Last week, an NREN unintentionally announced many non-NREN routes to
Internet2. The number of routes announced triggered a shutdown of the
BGP session, and the increase in Internet2’s route table size caused a
network in the US to shut down its peering with Internet2. Explicitly
filtering routes received from our NREN peer would have mitigated this
incident.
Building a filter based on a peer’s as-cone could be a reasonable
standard practice to improve routing security if NRENs only exchanged
their customer routes. An approach that might fit our needs better could
include a published as-set representing the customer as-cone for each
NREN, plus the RPSL (I’m not an RPSL expert, but I assume this is
possible) needed to convey which customer and transit routes to accept
from a peer.
Another approach might be to maintain an as-cone for the entire ITN, and
use that as the basis for a filter. There are approximately 2,600 ASs in
the ITN.
I’m not a BGP expert, but I’d like to support a conversation among the
NRENs to explore options and, potentially, to recommend best practices
to improve our collective routing security while maintaining our transit
policies.
I’ve generated some data to spark the conversation. Firstly, I need to
say that if Internet2 were in this list, it would show “No AS-SET for
Internet2 (AS11537).” We’re reluctant to publish such an as-set as there
isn’t a well-understood interpretation of how it would be used among
NRENs. If Internet2 published its as-cone via an as-set, would other
networks apply prefix filters based on this as-set and reject routes
from the other NRENs that are part of the ITN?
Based on routing data from bgp.nsrc.org and sources like the IRRs and
peeringdb, here’s a list of NRENs that peer with Internet2, their
as-set, and the count of ASs received that fall outside of the as-set.
I’m sure I’ve made errors. Please let me know if you see anything in error.
Steve
AARNET (AS7575) as-set="AS7575:AS-CUSTOMER" count of origins outside
customer cone 1 out of 96 origins seen.
list of origins outside customer cone [10906]
AMPATH (AS20080) as-set="AS-AS20080-TRANSIT" count of origins outside
customer cone 6 out of 23 origins seen.
list of origins outside customer cone [28609, 263076, 262441,
19611, 27676, 263358]
ANKABUT (AS47862) as-set="AS47862" count of origins outside customer
cone 9 out of 9 origins seen.
list of origins outside customer cone [59968, 50602, 58283,
51182, 61137, 47862, 57143, 52216, 50811]
No AS-SET for APAN (AS7660)
CANARIE (AS6509) as-set="AS6509:AS-CANARIE" count of origins outside
customer cone 1 out of 150 origins seen.
list of origins outside customer cone [577]
CEDIA (AS61468) as-set="AS61468:AS-CEDIATRANSITMIEMBROS" count of
origins outside customer cone 3 out of 16 origins seen.
list of origins outside customer cone [27947, 22724, 61468]
CERN (AS513) as-set="AS-CERNEXT" count of origins outside customer cone
0 out of 0 origins seen.
CERNET (AS23911) as-set="AS4538:AS-CUSTOMERS-V6" count of origins
outside customer cone 0 out of 0 origins seen.
CSTNET (AS7497) as-set="AS7497:AS-CUSTOMERS" count of origins outside
customer cone 0 out of 1 origins seen.
No AS-SET for CUDI (AS18592)
No AS-SET for CUDI (AS28569)
No AS-SET for ENSTINET (AS6879)
GEANT (AS20965) as-set="AS-GEANTNRN" count of origins outside customer
cone 57 out of 533 origins seen.
list of origins outside customer cone [38272, 138369, 138371,
327944, 138378, 327947, 328076, 12812, 328212, 24348, 37661, 24349,
24350, 328224, 328353, 24352, 24353, 24355, 24357, 24358, 37288, 24361,
24362, 24363, 24364, 328752, 24369, 24370, 24371, 327992, 4538, 199354,
329410, 328647, 328648, 328903, 209098, 132553, 11340, 6736, 37074,
328530, 37717, 328662, 328663, 133465, 8670, 49248, 133475, 23910,
21612, 329326, 328054, 328439, 328184, 328702, 24575]
No AS-SET for GOREX (AS35889)
No AS-SET for HBKU (AS34945)
No AS-SET for JGNX (AS17934)
KACST (AS8895) as-set="RIPE::AS8895:AS-KACST" count of origins outside
customer cone 0 out of 7 origins seen.
KREONET2 (AS17579) as-set="AS1237:AS-KREONET" count of origins outside
customer cone 0 out of 36 origins seen.
No AS-SET for NEAAR (AS396390)
NKN (AS9885) as-set="AS-NIC-NKN-BGP-PEERS" count of origins outside
customer cone 2 out of 106 origins seen.
list of origins outside customer cone [152576, 132124]
NORDUNET (AS2603) as-set="AS-NORDUNET" count of origins outside customer
cone 3 out of 154 origins seen.
list of origins outside customer cone [200264, 9113, 48670]
OMREN (AS206350) as-set="AS206350" count of origins outside customer
cone 2 out of 2 origins seen.
list of origins outside customer cone [28885, 206350]
QFN (AS29384) as-set="AS29384" count of origins outside customer cone 1
out of 1 origins seen.
list of origins outside customer cone [29384]
REANNZ (AS38022) as-set="RADB::AS-REANNZ-MEMBERS" count of origins
outside customer cone 1 out of 32 origins seen.
list of origins outside customer cone [3477]
REDCLARA (AS27750) as-set="AS27750:AS-MEMBERS" count of origins outside
customer cone 37 out of 41 origins seen.
list of origins outside customer cone [52224, 263683, 262156,
27790, 263186, 264724, 265884, 61476, 28068, 263204, 4270, 61486, 10671,
264630, 61496, 5692, 263235, 52424, 28107, 27981, 28109, 264785, 270033,
27993, 52442, 52314, 264798, 20191, 27875, 265700, 23140, 27750, 27883,
264687, 26610, 27897, 27770]
RNP (AS1916) as-set="RADB::AS-RNP" count of origins outside customer
cone 4 out of 79 origins seen.
list of origins outside customer cone [268744, 61612, 28157, 28222]
SINET (AS2907) as-set="JPIRR::as2907:as-sinet" count of origins outside
customer cone 26 out of 122 origins seen.
list of origins outside customer cone [1921, 18183, 38296,
7577, 7588, 9264, 7472, 17713, 7610, 4538, 4158, 63555, 45259, 3662,
24151, 11096, 7650, 17764, 24302, 38254, 7539, 18422, 137207, 1659,
3836, 4605]
No AS-SET for SINGAREN (AS23864)
No AS-SET for STARLIGHT (AS10764)
SURFNET (AS1103) as-set="AS-SURFNET" count of origins outside customer
cone 0 out of 25 origins seen.
TENET (AS2018) as-set="AS-TERTIARY" count of origins outside customer
cone 0 out of 5 origins seen.
No AS-SET for TRANSPAC (AS22388)
TWAREN (AS7539) as-set="AS7539:AS-TWAREN" count of origins outside
customer cone 0 out of 8 origins seen.
UBUNTUNET (AS36944) as-set="AS-UBUNTUNET" count of origins outside
customer cone 1 out of 21 origins seen.
list of origins outside customer cone [327945]
Steven Wallace
Director - Routing Integrity
Internet2
ssw(a)internet2.edu
_______________________________________________
Routing-wg mailing list -- routing-wg(a)lists.gna-g.net
To unsubscribe send an email to routing-wg-leave(a)lists.gna-g.net
_______________________________________________
Routing-wg mailing list -- routing-wg(a)lists.gna-g.net
To unsubscribe send an email to routing-wg-leave(a)lists.gna-g.net