Noction does their installs themselves normally so arguably none of their settings are default and are subject to the specific build of software they initially install and how their engineer lays down the base config. RE: The specific instance referenced in the article was the result of several companies failing to follow best practice with regard to their network management from what I recall and noction just amplified the issue. The article above is glazing over a lot of details. On Wed, Sep 18, 2019, 5:22 PM Andrew Hoyos <hoyosa@gmail.com> wrote:

Folks using route-optimizer things like Noction and such *SHOULD* be setting no-export on any prefixes it generates... As we’ve seen in history over the last years, that doesn’t always happen. I think they recently (last-year ish?) made that a default, instead of a manual setting.

On Sep 18, 2019, at 5:14 PM, Brandon Mulligan <brandon@KCIX.NET> wrote:

David,

Do the MICE route servers not have explicit route filters on each BGP session? If you can't trust a network to advertise only their IPs then how can you trust them to attach a community to their "optimized routes"?

Also, Could one simply use 0:53679 on their "optimized routes" to achieve the same effect?

Thanks. On 9/18/2019 4:43 PM, David Farmer wrote:

I found an interesting article in my LinkedIn feed last night on BGP Optimizers;

https://www.itnews.com.au/news/bgp-optimisers-seem-a-good-idea-until-they-br... ?

I'd be interesting if anyone in the MICE community is using a BGP Optimizer? Especially one that generates more specific prefixes in BGP.

I don't want to expose anyone to ridicule, so please don't go there if anyone fesses up, even in jest, this needs to be treated seriously.

However, if anyone is using a BGP Optimizer, especially one generating more specific prefixes, I think it would behoove the MICE community to put in extra defenses against propagating these more specific prefixes through the exchange and out to the Internet in general or even our own downstream customers.

For example we could create a MICE-DROP BGP Community that we can tag any routes that should be dropped if they are (accidentally) announced to the MICE route server or to other MICE peers, such as these more specific routes created by a BGP Optimizer. Basically we would each add something to our routing policy, and on the MICE route servers too, looking for that BGP Community and immediately dropping any routes tag with it.

Also, if anyone is using a BGP Optimizer in our community that would be a very good reason to accelerate IRR based router filtering for our exchange.

Thanks. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================

------------------------------

To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1

-- Brandon Mulligan Kansas City Internet eXchangehttp://kcix.net

------------------------------

To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1

------------------------------

To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1

Well we can't necessarily trust them to attach the BGP Community or filter properly, this is why if there are people using BGP Optimizers, I would want us to accelerate IRR filtering for MICE, but even that isn't perfect. However, the idea around a MICE-DROP BGP Community is to develop a robust approach, belt and suspenders so to speak. For example, let's say they are filtering but they make a mistake editing their filter, or they load new code on their router and a bug allows routes to leak. If in a different part of their configuration, or maybe on the BGP Optimizer itself, they set the MICE-DROP community, then their mistake or bug still won't propagate through MICE, because the other MICE participants or the MICE route servers would know to drop the routes with that tag anyway. It's also why we all need to enforce max prefix counts on our peers and on peers to the route servers, it helps catch the unexpected mistake or bug. Robust systems have multiple layers of protection. The break system on your car probably has power assist of some kind, but your breaks are designed to work even if the power assist fails, you still have manual, unassisted, hydraulics through the break pedal, and if the hydraulic system completely fails, you have a emergency break with a cable attached to a lever that can use to engage the breaks. Something like a MICE-DROP BGP Community allows responsible peers to implemnet robust filtering of their routes, where even if something fails on their side, maybe something our our side can catch the failure and prevent it being propagated. Thanks. On Wed, Sep 18, 2019 at 5:14 PM Brandon Mulligan <brandon@kcix.net> wrote:

David,

Do the MICE route servers not have explicit route filters on each BGP session? If you can't trust a network to advertise only their IPs then how can you trust them to attach a community to their "optimized routes"?

Also, Could one simply use 0:53679 on their "optimized routes" to achieve the same effect?

Thanks. On 9/18/2019 4:43 PM, David Farmer wrote:

I found an interesting article in my LinkedIn feed last night on BGP Optimizers;

https://www.itnews.com.au/news/bgp-optimisers-seem-a-good-idea-until-they-br... ?

I'd be interesting if anyone in the MICE community is using a BGP Optimizer? Especially one that generates more specific prefixes in BGP.

I don't want to expose anyone to ridicule, so please don't go there if anyone fesses up, even in jest, this needs to be treated seriously.

However, if anyone is using a BGP Optimizer, especially one generating more specific prefixes, I think it would behoove the MICE community to put in extra defenses against propagating these more specific prefixes through the exchange and out to the Internet in general or even our own downstream customers.

For example we could create a MICE-DROP BGP Community that we can tag any routes that should be dropped if they are (accidentally) announced to the MICE route server or to other MICE peers, such as these more specific routes created by a BGP Optimizer. Basically we would each add something to our routing policy, and on the MICE route servers too, looking for that BGP Community and immediately dropping any routes tag with it.

Also, if anyone is using a BGP Optimizer in our community that would be a very good reason to accelerate IRR based router filtering for our exchange.

Thanks. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================

------------------------------

To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1

-- Brandon Mulligan Kansas City Internet eXchangehttp://kcix.net

------------------------------

To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1

-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================