SlideShare una empresa de Scribd logo

Prefix Filtering Design Issues and Best Practise by Nurul Islam

MyNOG
MyNOG
Internet
1 de 31
Descargar para leer sin conexión
Prefix Filtering Design Issues and Best Practices Nurul Islam Roman, APNIC MyNOG4, KL, Malaysia
Ingress Prefixes •  There are three scenarios for receiving prefixes from other ASNs –  Customer talking BGP –  Peer talking BGP –  Upstream/Transit talking BGP •  Each has different filtering requirements and need to be considered separately
Source of Prefixes •  Upstream –  Mostly ISP •  Regional Internet Registry (RIR) –  I.e. APNIC, ARIN, ARFINIC, LACNIC, RIPE NCC
Design Consideration •  Ingress prefix from downstream: –  Option 1: Customer single home and non portable prefix •  Customer is not APNIC member prefix received from upstream ISP –  Option 2: Customer single home and portable prefix •  Customer is APNIC member receive allocation as service provider but no AS number yet –  Option 3: Customer multihome and non portable prefix •  Customer is not APNIC member both prefix and ASN received from upstream ISP –  Option 4: Customer multihome and portable prefix •  Customer is APNIC member both prefix and ASN received from APNIC
Design Consideration [Single home] •  Option 1: Single home and non portable prefix Internet can not change upstream ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 3fff:ffff:dcdc:/48 Customer
Design Consideration [Single home] •  Option 2: Single home and portable prefix Internet Can change upstream ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 2001:0DB8::/32 Customer
Design Consideration [Multihome] •  Option 3: Multihome and non portable prefix Internet upstream can not change ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 3fff:ffff:dcdc:/48 ISP2 upstream can change Customer
Design Consideration [Multihome] •  Option 4: Multihome and portable prefix Internet upstream can change ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 2001:0DB8::/32 ISP2 upstream can change Customer
Route Filtering BCP [Single home] •  Option 1: Customer single home and non portable prefix Internet upstream downstream AS17821 Static 3fff:ffff:dcdc::/48 to customer WAN Interface No LoA Check of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 NO BGP Static Default to ISP WAN Interface Filter requirement for ISP Customer interface OSPF passive No BGP peering with downstream customer No route filter required Traffic filter should permit customer prefix only Filter requirement for Customer No dynamic routing protocol with ISP No route filter required Need traffic filter based on company security policy
Route Filtering BCP [Single home] •  Option 2: : Customer single home and portable prefix Internet upstream downstream AS17821 Static 2001:0DB8::/32 to customer WAN Interface BGP network 2001:0DB8::/32 AS17821 i Check LoA of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 NO BGP Static Default to ISP WAN Interface Static 2001:0DB8::/32 null0 Filter requirement for ISP Customer interface OSPF passive No BGP peering with downstream customer No route filter required Traffic filter should permit customer prefix only Filter requirement for Customer No dynamic routing protocol with ISP No route filter required Need traffic filter based on company security policy
Route Filtering [Multihome] •  Option 3: Customer multihome and non portable prefix Internet upstream can not change AS17821 eBGP peering with customer WAN interface No LoA Check of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 Filter requirement for ISP Customer interface OSPF passive BGP peering with downstream customer Route filter permit 3fff:ffff:dcdc::/48 only in Route filter permit ::/0, AS17821cust, all /48& /32 out Or route filter permit ::/0 & AS17821 only out AS path filter permit _64500$ in Traffic filter should permit customer prefix in Filter requirement for Customer BGP peering with both upstream ISP Route filter permit 3fff:ffff:dcdc::/48 only out Route filter permit ::/0, AS17821cust, all /48& /32 in Or route filter permit ::/0 & AS17821 only in AS path filter permit ^$ out Need traffic filter based on company security policy AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface BGP network 3fff:ffff:dcdc::/48 AS64500 i or aggregate address from gateway router upstream can change
Route Filtering [Multihome] •  Option 4: Customer multihome and portable prefix Internet upstream can change AS17821 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 Filter requirement for ISP Customer interface OSPF passive BGP peering with downstream customer Route filter permit 2001:0DB8::/32 only in Route filter permit ::/0, AS17821cust, all /48& /32 out Or route filter permit ::/0 & AS17821 only out AS path filter permit _64500$ in Traffic filter should permit customer prefix in Filter requirement for Customer BGP peering with both upstream ISP Route filter permit 2001:0DB8::/32 only out Route filter permit ::/0, AS17821cust, all /48& /32 in Or route filter permit ::/0 & AS17821 only in AS path filter permit ^$ out Need traffic filter based on company security policy AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface BGP network 2001:0DB8::/32 AS64500 i or aggregate address from gateway router upstream can change
Design Issue [Ingress Prefix] •  Downstream Customer BGP In process design issue: –  Option 1: ISP default only In •  Customer is accepting ::/0 only from upstream ISP prefix –  Option 2: ISP default + local In •  Customer is accepting ::/0 and upstream ISP prefix and their other customer portable prefixes (Non portable prefixes should not) –  Option 3: ISP default + local + all In •  Customer is accepting ::/0, upstream ISP aggregated prefix and their other customer portable prefixes (Non portable prefixes should not) and all other from Internet
Route Filtering •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated
•  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated Route Filtering
•  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated Route Filtering
•  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS17821 default originated AS131107 default originated AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 Route Filtering
•  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down –  I.e. Network 2001:0DB8::/32 is withdrawn in AS200 but default path in AS64500 is still sending traffic via AS 17821) Internet Net 2001:0DB8::/32 upstream AS17821 default originated AS131107 default originated AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 Route Filtering
•  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down –  Prefixes originated in AS131107 can be routed via AS17821 (Sub- optimal path) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated Net 3fff:ffff::/32 i AS17821 default originated Route Filtering
•  Option 2: ISP default + local In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering to the remote –  Can not re-route traffic if remote transit is down –  AS131107 is sending its portable local route to AS64500 Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 >3fff:ffff::/32 i from As131107 upstream AS100 AS200 AS131107 default originated net 3fff:ffff::/32 i AS17821 default originated Route Filtering
•  Option 2: ISP default + local In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering to the remote –  Can not re-route traffic if remote transit is down –  AS131107 is sending its portable local route to AS64500 –  Prefixes originated in AS131107 can now be routed via AS131107 (Optimal Path) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from As131107 upstream AS100 AS200 AS131107 default originated Net 3fff:ffff::/32 i AS17821 default originated Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 > 2001:0db8 via AS 131107 2001:0db8 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
•  Option 3: ISP default + local + all In –  Need high configuration router (CPU/DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down –  Prefixes originated in AS131107 or AS17821 can now be routed via AS131107 or AS17821 respectively Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:odb8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
Route Filtering BCP •  Prefixes: From Upstream/Transit Provider •  If necessary to receive prefixes from any provider, care is required. –  Don’t accept default (unless you need it) –  Don’t accept your own prefixes •  For IPv4: –  Don’t accept private (RFC1918) and certain special use prefixes: http://www.rfc-editor.org/rfc/rfc5735.txt –  Don’t accept prefixes longer than /24 (?) •  For IPv6: –  Don’t accept certain special use prefixes: http://www.rfc-editor.org/rfc/rfc5156.txt –  Don’t accept prefixes longer than /48 (?)
Route Filtering BCP •  Prefixes: From Upstream/Transit Provider •  Check Team Cymru’s list of “bogons” www.team-cymru.org/Services/Bogons/http.html •  For IPv4 also consult: datatracker.ietf.org/doc/draft-vegoda-no-more-unallocated-slash8s •  For IPv6 also consult: www.space.net/~gert/RIPE/ipv6-filters.html •  Bogon Route Server: www.team-cymru.org/Services/Bogons/routeserver.html –  Supplies a BGP feed (IPv4 and/or IPv6) of address blocks which should not appear in the BGP table
Questions?
Thank you

Recomendados

Traffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie LiuTraffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
MyNOG
 
ETE405-lec9.ppt
ETE405-lec9.pptETE405-lec9.ppt
ETE405-lec9.ppt
mashiur
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
Zobair Khan
 
ETE405-lec9.pdf
ETE405-lec9.pdfETE405-lec9.pdf
ETE405-lec9.pdf
mashiur
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
MyNOG
 
Mpls
MplsMpls
Mpls
Fasih Rehman
 

Recomendados

Traffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie LiuTraffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
MyNOG
 
ETE405-lec9.ppt
ETE405-lec9.pptETE405-lec9.ppt
ETE405-lec9.ppt
mashiur
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
Zobair Khan
 
ETE405-lec9.pdf
ETE405-lec9.pdfETE405-lec9.pdf
ETE405-lec9.pdf
mashiur
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
MyNOG
 
Mpls
MplsMpls
Mpls
Fasih Rehman
 
BGP Overview
BGP OverviewBGP Overview
BGP Overview
Matt Bynum
 
IP/MAC Address Translation
IP/MAC Address TranslationIP/MAC Address Translation
IP/MAC Address Translation
Ismail Mukiibi
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Fakrul Alam
 
SDN Traffic Engineering, A Natural Evolution
SDN Traffic Engineering, A Natural EvolutionSDN Traffic Engineering, A Natural Evolution
SDN Traffic Engineering, A Natural Evolution
APNIC
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
Olivier Bonaventure
 
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPNP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
hamsa nandhini
 
Migrating to OpenFlow SDNs
Migrating to OpenFlow SDNsMigrating to OpenFlow SDNs
Migrating to OpenFlow SDNs
US-Ignite
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
Rasoul Mesghali, CCIE RS
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Exterior Routing Protocols And Multi casting Chapter 16
Exterior Routing Protocols And Multi casting Chapter 16Exterior Routing Protocols And Multi casting Chapter 16
Exterior Routing Protocols And Multi casting Chapter 16
daniel ayalew
 
DHCP Protocol
DHCP ProtocolDHCP Protocol
DHCP Protocol
Mohammed Hisham
 
Sapc upcc-pcrf- part 2 tbp
Sapc upcc-pcrf- part 2 tbpSapc upcc-pcrf- part 2 tbp
Sapc upcc-pcrf- part 2 tbp
Mustafa Golam
 
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet MulticastingNP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
hamsa nandhini
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Integrated and Differentiated services Chapter 17
Integrated and Differentiated services Chapter 17Integrated and Differentiated services Chapter 17
Integrated and Differentiated services Chapter 17
daniel ayalew
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
Victor Pascual Ávila
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
Bertrand Duvivier
 
Prefix Filtering BCP
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP
Bangladesh Network Operators Group
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

BGP Overview
BGP OverviewBGP Overview
BGP Overview
 
IP/MAC Address Translation
IP/MAC Address TranslationIP/MAC Address Translation
IP/MAC Address Translation
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
SDN Traffic Engineering, A Natural Evolution
SDN Traffic Engineering, A Natural EvolutionSDN Traffic Engineering, A Natural Evolution
SDN Traffic Engineering, A Natural Evolution
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
 
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPNP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
 
Migrating to OpenFlow SDNs
Migrating to OpenFlow SDNsMigrating to OpenFlow SDNs
Migrating to OpenFlow SDNs
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Exterior Routing Protocols And Multi casting Chapter 16
Exterior Routing Protocols And Multi casting Chapter 16Exterior Routing Protocols And Multi casting Chapter 16
Exterior Routing Protocols And Multi casting Chapter 16
 
DHCP Protocol
DHCP ProtocolDHCP Protocol
DHCP Protocol
 
Sapc upcc-pcrf- part 2 tbp
Sapc upcc-pcrf- part 2 tbpSapc upcc-pcrf- part 2 tbp
Sapc upcc-pcrf- part 2 tbp
 
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet MulticastingNP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Integrated and Differentiated services Chapter 17
Integrated and Differentiated services Chapter 17Integrated and Differentiated services Chapter 17
Integrated and Differentiated services Chapter 17
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
 

Similar a Prefix Filtering Design Issues and Best Practise by Nurul Islam

Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)
NYversity
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 

Similar a Prefix Filtering Design Issues and Best Practise by Nurul Islam (20)

Prefix Filtering BCP
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
 
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
 
Routing Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSLRouting Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSL
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Bgp
BgpBgp
Bgp
 
bgp.ppt
bgp.pptbgp.ppt
bgp.ppt
 
Practical Implementation of Large BGP communities with Geotags and Traffic En...
Practical Implementation of Large BGP communities with Geotags and Traffic En...Practical Implementation of Large BGP communities with Geotags and Traffic En...
Practical Implementation of Large BGP communities with Geotags and Traffic En...
 
Practical Implementation of Large BGP Community with Geotags and Traffic Engi...
Practical Implementation of Large BGP Community with Geotags and Traffic Engi...Practical Implementation of Large BGP Community with Geotags and Traffic Engi...
Practical Implementation of Large BGP Community with Geotags and Traffic Engi...
 
10 routing-bgp
10 routing-bgp10 routing-bgp
10 routing-bgp
 
11 bgp-ethernet
11 bgp-ethernet11 bgp-ethernet
11 bgp-ethernet
 
Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)
 
Lec7
Lec7Lec7
Lec7
 
Wrou01
Wrou01Wrou01
Wrou01
 
Apricot2004 bgp00
Apricot2004 bgp00Apricot2004 bgp00
Apricot2004 bgp00
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshop
 
BGP Techniques for Network Operators
BGP Techniques for Network OperatorsBGP Techniques for Network Operators
BGP Techniques for Network Operators
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 

Más de MyNOG

MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
MyNOG
 

Más de MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Último

75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 

Último (20)

75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 

Prefix Filtering Design Issues and Best Practise by Nurul Islam

  • 1. Prefix Filtering Design Issues and Best Practices Nurul Islam Roman, APNIC MyNOG4, KL, Malaysia
  • 2. Ingress Prefixes •  There are three scenarios for receiving prefixes from other ASNs –  Customer talking BGP –  Peer talking BGP –  Upstream/Transit talking BGP •  Each has different filtering requirements and need to be considered separately
  • 3. Source of Prefixes •  Upstream –  Mostly ISP •  Regional Internet Registry (RIR) –  I.e. APNIC, ARIN, ARFINIC, LACNIC, RIPE NCC
  • 4. Design Consideration •  Ingress prefix from downstream: –  Option 1: Customer single home and non portable prefix •  Customer is not APNIC member prefix received from upstream ISP –  Option 2: Customer single home and portable prefix •  Customer is APNIC member receive allocation as service provider but no AS number yet –  Option 3: Customer multihome and non portable prefix •  Customer is not APNIC member both prefix and ASN received from upstream ISP –  Option 4: Customer multihome and portable prefix •  Customer is APNIC member both prefix and ASN received from APNIC
  • 5. Design Consideration [Single home] •  Option 1: Single home and non portable prefix Internet can not change upstream ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 3fff:ffff:dcdc:/48 Customer
  • 6. Design Consideration [Single home] •  Option 2: Single home and portable prefix Internet Can change upstream ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 2001:0DB8::/32 Customer
  • 7. Design Consideration [Multihome] •  Option 3: Multihome and non portable prefix Internet upstream can not change ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 3fff:ffff:dcdc:/48 ISP2 upstream can change Customer
  • 8. Design Consideration [Multihome] •  Option 4: Multihome and portable prefix Internet upstream can change ISP1 ISP Prefix 3fff:ffff::/32 Enterprise Prefix 2001:0DB8::/32 ISP2 upstream can change Customer
  • 9. Route Filtering BCP [Single home] •  Option 1: Customer single home and non portable prefix Internet upstream downstream AS17821 Static 3fff:ffff:dcdc::/48 to customer WAN Interface No LoA Check of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 NO BGP Static Default to ISP WAN Interface Filter requirement for ISP Customer interface OSPF passive No BGP peering with downstream customer No route filter required Traffic filter should permit customer prefix only Filter requirement for Customer No dynamic routing protocol with ISP No route filter required Need traffic filter based on company security policy
  • 10. Route Filtering BCP [Single home] •  Option 2: : Customer single home and portable prefix Internet upstream downstream AS17821 Static 2001:0DB8::/32 to customer WAN Interface BGP network 2001:0DB8::/32 AS17821 i Check LoA of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 NO BGP Static Default to ISP WAN Interface Static 2001:0DB8::/32 null0 Filter requirement for ISP Customer interface OSPF passive No BGP peering with downstream customer No route filter required Traffic filter should permit customer prefix only Filter requirement for Customer No dynamic routing protocol with ISP No route filter required Need traffic filter based on company security policy
  • 11. Route Filtering [Multihome] •  Option 3: Customer multihome and non portable prefix Internet upstream can not change AS17821 eBGP peering with customer WAN interface No LoA Check of Cust prefix ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 Filter requirement for ISP Customer interface OSPF passive BGP peering with downstream customer Route filter permit 3fff:ffff:dcdc::/48 only in Route filter permit ::/0, AS17821cust, all /48& /32 out Or route filter permit ::/0 & AS17821 only out AS path filter permit _64500$ in Traffic filter should permit customer prefix in Filter requirement for Customer BGP peering with both upstream ISP Route filter permit 3fff:ffff:dcdc::/48 only out Route filter permit ::/0, AS17821cust, all /48& /32 in Or route filter permit ::/0 & AS17821 only in AS path filter permit ^$ out Need traffic filter based on company security policy AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface BGP network 3fff:ffff:dcdc::/48 AS64500 i or aggregate address from gateway router upstream can change
  • 12. Route Filtering [Multihome] •  Option 4: Customer multihome and portable prefix Internet upstream can change AS17821 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 Filter requirement for ISP Customer interface OSPF passive BGP peering with downstream customer Route filter permit 2001:0DB8::/32 only in Route filter permit ::/0, AS17821cust, all /48& /32 out Or route filter permit ::/0 & AS17821 only out AS path filter permit _64500$ in Traffic filter should permit customer prefix in Filter requirement for Customer BGP peering with both upstream ISP Route filter permit 2001:0DB8::/32 only out Route filter permit ::/0, AS17821cust, all /48& /32 in Or route filter permit ::/0 & AS17821 only in AS path filter permit ^$ out Need traffic filter based on company security policy AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface BGP network 2001:0DB8::/32 AS64500 i or aggregate address from gateway router upstream can change
  • 13. Design Issue [Ingress Prefix] •  Downstream Customer BGP In process design issue: –  Option 1: ISP default only In •  Customer is accepting ::/0 only from upstream ISP prefix –  Option 2: ISP default + local In •  Customer is accepting ::/0 and upstream ISP prefix and their other customer portable prefixes (Non portable prefixes should not) –  Option 3: ISP default + local + all In •  Customer is accepting ::/0, upstream ISP aggregated prefix and their other customer portable prefixes (Non portable prefixes should not) and all other from Internet
  • 14. Route Filtering •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated
  • 15. •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated Route Filtering
  • 16. •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated AS17821 default originated Route Filtering
  • 17. •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS17821 default originated AS131107 default originated AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 Route Filtering
  • 18. •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down –  I.e. Network 2001:0DB8::/32 is withdrawn in AS200 but default path in AS64500 is still sending traffic via AS 17821) Internet Net 2001:0DB8::/32 upstream AS17821 default originated AS131107 default originated AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 Route Filtering
  • 19. •  Option 1: ISP default only In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering –  Can not re-route traffic if remote transit is down –  Prefixes originated in AS131107 can be routed via AS17821 (Sub- optimal path) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 upstream AS100 AS200 AS131107 default originated Net 3fff:ffff::/32 i AS17821 default originated Route Filtering
  • 20. •  Option 2: ISP default + local In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering to the remote –  Can not re-route traffic if remote transit is down –  AS131107 is sending its portable local route to AS64500 Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 >3fff:ffff::/32 i from As131107 upstream AS100 AS200 AS131107 default originated net 3fff:ffff::/32 i AS17821 default originated Route Filtering
  • 21. •  Option 2: ISP default + local In –  Can use a low configuration router (CPU/DRAM) –  Easy to manage small routing table –  Do not support destination specific traffic engineering to the remote –  Can not re-route traffic if remote transit is down –  AS131107 is sending its portable local route to AS64500 –  Prefixes originated in AS131107 can now be routed via AS131107 (Optimal Path) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from As131107 upstream AS100 AS200 AS131107 default originated Net 3fff:ffff::/32 i AS17821 default originated Route Filtering
  • 22. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 23. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 24. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 25. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:0db8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 26. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/ DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 > 2001:0db8 via AS 131107 2001:0db8 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 27. •  Option 3: ISP default + local + all In –  Need high configuration router (CPU/DRAM) –  Need skilled people to manage large routing table –  Support destination specific traffic engineering to the remote –  Can now re-route traffic if remote transit is down –  Prefixes originated in AS131107 or AS17821 can now be routed via AS131107 or AS17821 respectively Internet Net 2001:0DB8::/32 upstream AS64500 ::/0 from AS131107 > ::/0 from AS17821 > 3fff:ffff::/32 from AS131107 3fff:ffff::/32 via AS17821 2001:0db8::/32 via AS 131107 > 2001:odb8::/32 via AS 17821 etc etc etc……… upstream AS100 AS200 AS131107 default originated net originated in AS131107 and its portable customer net AS17821 default originated net originated in AS131107 and its portable customer net Route Filtering
  • 28. Route Filtering BCP •  Prefixes: From Upstream/Transit Provider •  If necessary to receive prefixes from any provider, care is required. –  Don’t accept default (unless you need it) –  Don’t accept your own prefixes •  For IPv4: –  Don’t accept private (RFC1918) and certain special use prefixes: http://www.rfc-editor.org/rfc/rfc5735.txt –  Don’t accept prefixes longer than /24 (?) •  For IPv6: –  Don’t accept certain special use prefixes: http://www.rfc-editor.org/rfc/rfc5156.txt –  Don’t accept prefixes longer than /48 (?)
  • 29. Route Filtering BCP •  Prefixes: From Upstream/Transit Provider •  Check Team Cymru’s list of “bogons” www.team-cymru.org/Services/Bogons/http.html •  For IPv4 also consult: datatracker.ietf.org/doc/draft-vegoda-no-more-unallocated-slash8s •  For IPv6 also consult: www.space.net/~gert/RIPE/ipv6-filters.html •  Bogon Route Server: www.team-cymru.org/Services/Bogons/routeserver.html –  Supplies a BGP feed (IPv4 and/or IPv6) of address blocks which should not appear in the BGP table