Lots of fancy words which can be boiled down to: Don't trust the s**t your customer sends you.
The Internet's fundamental routing infrastructure, the Border Gateway Protocol (BGP), is so fragile that errors in one to four per cent of ISP route filters can propagate bad routes. So says Czech DDOS-defender Qrator Labs, which carried out a project to try and help the Internet community quantify how much of the threat to …
This is unprecedented.
"Failure to properly sanitise input data".
"Failure to apply least-privilege principles" (if it's not explicitly allowed, it can't happen).
"Failure to apply sensible defaults"
"Failure to check output of own systems matches expectations"
It's not like those EVER cause problems, is it?
You make my heart sing, you make everything.. interesting to route. So-
put IRR filters on all customer links; watch for customers adding “something weird” in their AS-SETs; consider applying IRR filters to peering links; and “constantly monitor BGP”.
The last bit is probably the easiest, ie 'why is traffic going thataway?'. Rest is largely down to history and the trust model, ie BGP being between peers. Which also ended up being some single homed customers, who often don't need it. Or multi-homed with PI, who may still be wondering about load balancing.
Or the biggest issue, a lot of routes that don't have route objects, AS-SETs or just refer you to the space holder, who's usually in the US. Where despite the best efforts of the other registries, IRR's haven't proven popular.
Details/memory are murky. I wasn't the boss guy here so don't blame me for the initial cockup.
Some ISP in Malaysia begun announcing a /15 (??) of ours. Bad bad ISP, and bad for those ASs around them to accept it. Probably a lot of bad all round.
Everyone running around like headless chooks trying to sort the routing out until such time as we could tell the Malaysian mob to re-enter the right config on their boxes. I (young guy not allowed to talk because I couldn't possibly know any better) suggested that we advertise the /15 as two separate /16s so the more specifics would appear in the tables until such time as we could sort it out.
It worked until we were able to contact the Malaysian ISP but it goes to show how easy this stuff can happen.
Biting the hand that feeds IT © 1998–2020