 |
 |
At NANOG it was strongly suggested we, privately for MICE and more generally for all IXes, should implement IRR filtering on our route servers ASAP. We are now one of the bigger IXes not already filtering, especially in the US. We should probably block routes with invalid RPKI ROAs too. Arouteserver was recommended as one of the better and easier to implement options. There are offers to help us with this from Theo de Raadt < [log in to unmask]> of the Calgary Internet Exchange (YYCIX) and by others. https://blog.apnic.net/2017/03/17/ixp-automation-made-easy-new-open-source-tool/ https://github.com/pierky/arouteserver https://arouteserver.readthedocs.io/en/latest/ FYI additionally, Fastly already filters based on IRR objects, and HE has recently started filtering. https://www.fastly.com/peering http://routing.he.net/algorithm.html Also at NANOG, it was announced by Google that they plan to begin filtering routes based IRR data early next year. See slide 114 of the following; https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetanov_Security_Track_Bgp_v1.pdf There is lots of other good stuff in the deck, but the fact that Google plans to start filtering based on IRR objects is BIG news. So, we need to escalate doing route filtering on our Route Servers. Furthermore, if you don't already have IRR objects, you should probably start working on them. The following is a handy tool to check the consistency of your IRR objects. http://irrexplorer.nlnog.net/ Thanks. -- =============================================== David Farmer Email:[log in to unmask] Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================