On 02/06/2016 22:43, Job Snijders wrote:
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large. After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
Even though this is something "simple" and less likely to prevent the bigger bad things from happening (well, still could, but even AS200759's incident in April might not have been prevented), every little piece helps - and might trigger affected ISPs to check and cleanup their configuration. Thus a strong +1. And others are encouraged to do the same (if not already doing it). However, one note I like to add here: Some older JunOSes (probably IOSes as well) do not remove 32bit RFC6996 ASNs with remove-private (remove-private-as) from the path. In case one runs an older version (for whatever reasons) and make use of RFC6996 32bit ASNs, better check now. IIRC (but that's 1+ year ago e.g. 12.3 will never see a proper 32bit aware remove-private version, 13.3 and 14.1 started to support it with some R# release ... ups, that's more j-nsp than routing-wg, sorry ;-). Markus PS: In case someone is concerned ... AS286 rejects (usually) prefixes with RFC6996 ASNs since years ... and hardly hit any real connectivity problems (at least not one which couldn't be solved). Fair enough, it might end different for others ... depending on the traffic relation to these dropped networks. This probably changes if other ISPs suddenly start to filter these prefixes out as well and downstreams don't see it anymore from other upstreams ... but at least we are then not the only ones unable to reach the "problem prefixes" and the pressure towards the "bad ISP" is getting higher to finally fix it. And we commit to update our filters to Job's "extended" version before July, which will kick out another ~30 prefixes from our table soon ... -- Darmstädter Landstrasse 184 | 60598 Frankfurt | Germany +49 (0)178 5352346 | <Markus.Weber@kpn.DE> | www.kpn.de KPN EuroRings Germany B.V. | Niederlassung Frankfurt am Main Amtsgericht Frankfurt HRB99781 | USt.IdNr. DE 815496855 Geschäftsführer Jesus Martinez & Pieter Martijn Schelling