At NANOG it was strongly suggested we, privately for MICE and more generally for all IXes, should implement IRR filtering on our route servers ASAP. We are now one of the bigger IXes not already filtering, especially in the US. We should probably block routes with invalid RPKI ROAs too. Arouteserver was recommended as one of the better and easier to implement options. There are offers to help us with this from Theo de Raadt <deraadt@yycix.ca> of the Calgary Internet Exchange (YYCIX) and by others.

https://blog.apnic.net/2017/03/17/ixp-automation-made-easy-new-open-source-tool/
https://github.com/pierky/arouteserver
https://arouteserver.readthedocs.io/en/latest/

FYI additionally, Fastly already filters based on IRR objects, and HE has recently started filtering.

https://www.fastly.com/peering
http://routing.he.net/algorithm.html

Also at NANOG, it was announced by Google that they plan to begin filtering routes based IRR data early next year.  See slide 114 of the following;

https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetanov_Security_Track_Bgp_v1.pdf

There is lots of other good stuff in the deck, but the fact that Google plans to start filtering based on IRR objects is BIG news.

So, we need to escalate doing route filtering on our Route Servers. Furthermore, if you don't already have IRR objects, you should probably start working on them. The following is a handy tool to check the consistency of your IRR objects.

http://irrexplorer.nlnog.net/

Thanks.
--
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1