[atnog] Fwd: Bogon ASN Filter Policy
Arnold Nipper
arnold at nipper.de
Wed Jun 8 04:30:33 CEST 2016
On 07.06.2016 09:00, Otmar Lendl wrote:
>
> FYI,
>
> es tut sich ein bisschen was zum Thema Bogon filtering.
>
Ja, schön, dass die gro0ßen Carrier das Thema endlich auch für sich
entdecken.
An IXP (zB DE-CIX und sicher am VIX auch) wird bereit seit langem
rigoros gefiltert. So kommt an den DE-CIX route server nur ein Prefix
durch, wenn auch das origin dazu passt. Ein komplettes path filtering
machen wir allerdings nicht.
Im Gespräch ist, dass Carrier ihr AS als "should not be seen" markieren
können.
Gruß,
Arnold
> Auf diversen Meetings der letzten Zeit haben wir immer mehr von
> prefix-hijacking gehört. Das ist für Spam-Versand eine sehr alte Masche,
> angeblich wird das jetzt aber auch für DDoS (genauer: injecting von
> spoofed packets) benutzt.
>
> otmar
>
> -------- Forwarded Message --------
>
> TLP:GREEN
>
> NTT (2914), GTT (3257), AT&T (7018) and KPN (286) have publicly
> committed to deploy this style of policy in June/July 2016.
>
> NTT's outreach programme is effective, the amount of impacted prefixes
> in the DFZ has already dropped with 50% in the last two weeks.
>
> Kind regards,
>
> Job
>
> ----- Forwarded message from Job Snijders <job at ntt.net> -----
>
> Date: Thu, 2 Jun 2016 21:41:38 +0200
> From: Job Snijders <job at ntt.net>
> To: nanog at nanog.org
> Cc: Jared Mauch <jmauch at us.ntt.net>
> Subject: Bogon ASN Filter Policy
>
> Dear fellow network operators,
>
> In July 2016, NTT Communications' Global IP Network AS2914 will deploy a
> new routing policy to block Bogon ASNs from its view of the default-free
> zone. This notification is provided as a courtesy to the network
> community at large.
>
> After the Bogon ASN filter policy has been deployed, AS 2914 will not
> accept route announcements from any eBGP neighbor which contains a Bogon
> ASN anywhere in the AS_PATH or its atomic aggregate attribute.
>
> The reasoning behind this policy is twofold:
>
> - Private or Reserved ASNs have no place in the public DFZ. Barring
> these from the DFZ helps improve accountability and dampen
> accidental exposure of internal routing artifacts.
>
> - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456"
> in the DFZ is a either a misconfiguration or software issue.
>
> We are undertaking this effort to improve the quality of routing data as
> part of the global ecosystem. This should improve the security posture
> and provide additional certainty [1] to those undertaking network
> troubleshooting.
>
> Bogon ASNs are currently defined as following:
>
> 0 # Reserved RFC7607
> 23456 # AS_TRANS RFC6793
> 64496-64511 # Reserved for use in docs and code RFC5398
> 64512-65534 # Reserved for Private Use RFC6996
> 65535 # Reserved RFC7300
> 65536-65551 # Reserved for use in docs and code RFC5398
> 65552-131071 # Reserved
> 4200000000-4294967294 # Reserved for Private Use RFC6996
> 4294967295 # Reserved RFC7300
>
> A current overview of what are considered Bogon ASNs is maintained at
> NTT's Routing Policies page [2]. The IANA Autonomous System Number
> Registry [3] is closely tracked and the NTT Bogon ASN definitions are
> updated accordingly.
>
> We encourage network operators to consider deploying similar policies.
> Configuration examples for various platforms can be found here [4].
>
> NTT staff is monitoring current occurrences of Bogon ASNs in the routing
> system and reaching out to impacted parties on a weekly basis.
>
> Kind regards,
>
> Job
>
> Contact persons:
>
> Job Snijders <job at ntt.net>, Jared Mauch <jmauch at us.ntt.net>,
> NTT Communications NOC <noc at ntt.net>
>
> References:
> [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
> [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon
> [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
> [4]: http://as2914.net/bogon_asns/configuration_examples.txt
>
> ----- End forwarded message -----
>
>
>
> _______________________________________________
> atnog mailing list
> atnog at atnog.at
> http://atnog.at/mailman/listinfo/atnog
>
--
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold at nipper.de phone: +49 6224 5593407 2
mobile: +49 172 2650958 fax: +49 6224 5593407 9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://atnog.at/pipermail/atnog/attachments/20160608/2e1ef233/attachment.sig>
More information about the atnog
mailing list