 |
 |
Well we can't necessarily trust them to attach the BGP Community or filter properly, this is why if there are people using BGP Optimizers, I would want us to accelerate IRR filtering for MICE, but even that isn't perfect. However, the idea around a MICE-DROP BGP Community is to develop a robust approach, belt and suspenders so to speak. For example, let's say they are filtering but they make a mistake editing their filter, or they load new code on their router and a bug allows routes to leak. If in a different part of their configuration, or maybe on the BGP Optimizer itself, they set the MICE-DROP community, then their mistake or bug still won't propagate through MICE, because the other MICE participants or the MICE route servers would know to drop the routes with that tag anyway. It's also why we all need to enforce max prefix counts on our peers and on peers to the route servers, it helps catch the unexpected mistake or bug. Robust systems have multiple layers of protection. The break system on your car probably has power assist of some kind, but your breaks are designed to work even if the power assist fails, you still have manual, unassisted, hydraulics through the break pedal, and if the hydraulic system completely fails, you have a emergency break with a cable attached to a lever that can use to engage the breaks. Something like a MICE-DROP BGP Community allows responsible peers to implemnet robust filtering of their routes, where even if something fails on their side, maybe something our our side can catch the failure and prevent it being propagated. Thanks. On Wed, Sep 18, 2019 at 5:14 PM Brandon Mulligan <[log in to unmask]> wrote: > David, > > Do the MICE route servers not have explicit route filters on each BGP > session? If you can't trust a network to advertise only their IPs then how > can you trust them to attach a community to their "optimized routes"? > > Also, Could one simply use 0:53679 on their "optimized routes" to achieve > the same effect? > > Thanks. > On 9/18/2019 4:43 PM, David Farmer wrote: > > I found an interesting article in my LinkedIn feed last night on BGP > Optimizers; > > > https://www.itnews.com.au/news/bgp-optimisers-seem-a-good-idea-until-they-bring-down-the-internet-530928 > ? > > I'd be interesting if anyone in the MICE community is using a BGP > Optimizer? Especially one that generates more specific prefixes in BGP. > > I don't want to expose anyone to ridicule, so please don't go there if > anyone fesses up, even in jest, this needs to be treated seriously. > > However, if anyone is using a BGP Optimizer, especially one generating > more specific prefixes, I think it would behoove the MICE community to put > in extra defenses against propagating these more specific prefixes through > the exchange and out to the Internet in general or even our own downstream > customers. > > For example we could create a MICE-DROP BGP Community that we can tag any > routes that should be dropped if they are (accidentally) announced to the > MICE route server or to other MICE peers, such as these more specific > routes created by a BGP Optimizer. Basically we would each add something to > our routing policy, and on the MICE route servers too, looking for that BGP > Community and immediately dropping any routes tag with it. > > Also, if anyone is using a BGP Optimizer in our community that would be a > very good reason to accelerate IRR based router filtering for our exchange. > > Thanks. > -- > =============================================== > David Farmer Email:[log in to unmask] > Networking & Telecommunication Services > Office of Information Technology > University of Minnesota > 2218 University Ave SE Phone: 612-626-0815 > Minneapolis, MN 55414-3029 Cell: 612-812-9952 > =============================================== > > ------------------------------ > > To unsubscribe from the MICE-DISCUSS list, click the following link: > http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 > > -- > Brandon Mulligan > Kansas City Internet eXchangehttp://kcix.net > > > ------------------------------ > > To unsubscribe from the MICE-DISCUSS list, click the following link: > http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 > -- =============================================== David Farmer Email:[log in to unmask] Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================