March 25, 2020

239 words 2 mins read

Lightning Talk: Fighting BGP Route Leaks with PeeringDBs new never via route servers flag

Lightning Talk: Fighting BGP Route Leaks with PeeringDBs new never via route servers flag

Route servers are a convenience service that exists to lower the barrier to participate at an IXP. In the past, these route servers also distributed leaked routes …

Talk Title Lightning Talk: Fighting BGP Route Leaks with PeeringDBs new never via route servers flag
Speakers Theo Voss (ANEXIA Internetdienstleistungs GmbH)
Conference NANOG78
Conf Tag
Location San Francisco, CA
Date Feb 10 2020 - Feb 12 2020
URL Talk Page
Slides Talk Slides
Video Talk Video

Route servers are a convenience service that exists to lower the barrier to participate at an IXP. In the past, these route servers also distributed leaked routes from peers not participating and aggravated severe outages of the internet. Furthermore, the quality of BGP filters varies along IXPs. A few large operators implemented countermeasures like Peerlock but most other operators don’t. With version 2.18.0, PeeringDB introduced a feature called “Never via route servers” for networks to indicate whether their routes should be reachable via route servers or not. This makes it possible to generate filters for all route server peerings and drop announcements containing AS numbers with “Never via route servers” flag in the AS path. Next to bogon filters, RPKI and IRR filters, this is another milestone in terms of automated routing security based on a central, authorized and well-maintained database. This talks explains how this can be easily used to generate filters by showing example API calls and router configuration.

Theo Voss: None

comments powered by Disqus