Re: [bcop] Indosat (AS4761) BGP Hijack
On 3 Apr 2014, at 1:45 PM, IP TAC wrote:
Dear Partner,
The problem caused by misconfig by our third-party support. We already have plan to prevent the problem exist in the future if any misconfig happen again. We apologize for the inconvenience.
Greetings, May I take this opportunity to suggest that you (& anyone else listening that doesn't already have two levels of prevention on their BGP customers) implement a BGP max-prefix setting on your customer peer-groups to prevent this sort of incident in the future (in addition to using per-customer prefix filters)? Plenty of networks are rolling out IPv6; <A HREF="http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure">RPKI</A> may take longer... Best regards, --- Blake Willis Consulting Network Architect
Hi Blake (with cc to BCOP list), On 04/03/2014 03:49 PM, Blake WILLIS wrote:
On 3 Apr 2014, at 1:45 PM, IP TAC wrote:
Dear Partner,
The problem caused by misconfig by our third-party support. We already have plan to prevent the problem exist in the future if any misconfig happen again. We apologize for the inconvenience.
Greetings,
May I take this opportunity to suggest that you (& anyone else listening that doesn't already have two levels of prevention on their BGP customers) implement a BGP max-prefix setting on your customer peer-groups to prevent this sort of incident in the future (in addition to using per-customer prefix filters)?
This might (indeed) be an excellent document for a BCOP. If you are in the opportunity to attend the RIPE meeting, you might consider to start working on a BCOP document for (basic) filtering. This can be part of another, more broad defined document on BGP configuration, or more specific on customer peer-group filtering. Please let us know what you think. Best, -- Benno -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/
participants (2)
-
Benno Overeinder -
Blake WILLIS