MICE Route Filtering
At NANOG it was strongly suggested we, privately for MICE and more generally for all IXes, should implement IRR filtering on our route servers ASAP. We are now one of the bigger IXes not already filtering, especially in the US. We should probably block routes with invalid RPKI ROAs too. Arouteserver was recommended as one of the better and easier to implement options. There are offers to help us with this from Theo de Raadt < deraadt@yycix.ca> of the Calgary Internet Exchange (YYCIX) and by others. https://blog.apnic.net/2017/03/17/ixp-automation-made-easy-new-open-source-t... https://github.com/pierky/arouteserver https://arouteserver.readthedocs.io/en/latest/ FYI additionally, Fastly already filters based on IRR objects, and HE has recently started filtering. https://www.fastly.com/peering http://routing.he.net/algorithm.html Also at NANOG, it was announced by Google that they plan to begin filtering routes based IRR data early next year. See slide 114 of the following; https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetan... There is lots of other good stuff in the deck, but the fact that Google plans to start filtering based on IRR objects is BIG news. So, we need to escalate doing route filtering on our Route Servers. Furthermore, if you don't already have IRR objects, you should probably start working on them. The following is a handy tool to check the consistency of your IRR objects. http://irrexplorer.nlnog.net/ Thanks. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
I am in favor of this, especially if we have someone that is experienced that is willing to help. I would propose that we start with RS#2 and test for a while, then we can notify people who's prefixes are being rejected prior to applying to RS#1. I would also propose that at the same time we set RS#2 to be passive so that it cuts down on the chatter that it is creating on the exchange waiting for people to connect, or people who have not yet turned up their v6 sessions. I think this would be a great point of discussion at the next UG. From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of David Farmer Sent: Saturday, October 06, 2018 11:20 AM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: [MICE-DISCUSS] MICE Route Filtering At NANOG it was strongly suggested we, privately for MICE and more generally for all IXes, should implement IRR filtering on our route servers ASAP. We are now one of the bigger IXes not already filtering, especially in the US. We should probably block routes with invalid RPKI ROAs too. Arouteserver was recommended as one of the better and easier to implement options. There are offers to help us with this from Theo de Raadt <deraadt@yycix.ca> of the Calgary Internet Exchange (YYCIX) and by others. https://blog.apnic.net/2017/03/17/ixp-automation-made-easy-new-open-source-t... https://github.com/pierky/arouteserver https://arouteserver.readthedocs.io/en/latest/ FYI additionally, Fastly already filters based on IRR objects, and HE has recently started filtering. https://www.fastly.com/peering http://routing.he.net/algorithm.html Also at NANOG, it was announced by Google that they plan to begin filtering routes based IRR data early next year. See slide 114 of the following; https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetan... There is lots of other good stuff in the deck, but the fact that Google plans to start filtering based on IRR objects is BIG news. So, we need to escalate doing route filtering on our Route Servers. Furthermore, if you don't already have IRR objects, you should probably start working on them. The following is a handy tool to check the consistency of your IRR objects. http://irrexplorer.nlnog.net/ Thanks. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On 10/06/2018 09:06 PM, Jeremy Lumby wrote:
I would propose that we start with RS#2 and test for a while, then we can notify people who's prefixes are being rejected prior to applying to RS#1.
That would be ideal.
I would also propose that at the same time we set RS#2 to be passive so that it cuts down on the chatter that it is creating on the exchange waiting for people to connect, or people who have not yet turned up their v6 sessions.
Yes, please. -- Richard
On Sat, Oct 6, 2018 at 9:07 PM Jeremy Lumby <jlumby@mnvoip.com> wrote:
I am in favor of this, especially if we have someone that is experienced that is willing to help. I would propose that we start with RS#2 and test for a while, then we can notify people who's prefixes are being rejected prior to applying to RS#1. I would also propose that at the same time we set RS#2 to be passive so that it cuts down on the chatter that it is creating on the exchange waiting for people to connect, or people who have not yet turned up their v6 sessions. I think this would be a great point of discussion at the next UG.
Generally, that is the suggested plan, but also set a two or three week deadline between filtering on RS#2 and RS#1, and no white listing execptions either. Yes, we should discuss this on Wednesday. I think it is really important to hear from anyone who doesn't think this is a good idea, and why. Thanks =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
participants (3)
-
David Farmer
-
Jeremy Lumby
-
Richard Laager