Blocking private AS

I am thinking about implementing a filter to block all traffic with
private AS numbers in the path. I see quite a few in my table though so
I am concerned I might block some legitimate traffic. In some cases,
these are just prefixes with the private appended to the end but a few
have the private as a transit. Is this a good idea or would I likely be
blocking too much legitimate traffic? The filter I am using currently
shows the following:

BGP table version is 5462394, local router ID is 209.112.253.4

Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path

* i58.68.109.0/24 x.x.x.x 0 100 0 6130 9498 10201
65534 i

*> y.y.y.y 0 6130 9498 10201
65534 i

* i68.115.224.0/24 x.x.x.x 0 100 0 6130 19151 20115
65011 i

*> y.y.y.y 0 6130 19151 20115
65011 i

* 85.112.22.0/24 y.y.y.y 0 6130 6939 23148
64532 64532 64532 64532 64532 64532 64532 64532 64532 i

*> 93.189.194.0/24 y.y.y.y 0 6130 3549 39386
39386 39386 25233 65000 47146 i

* i x.x.x.x 0 100 0 6130 3549 39386
39386 39386 25233 65000 47146 i

*> 96.60.243.0/24 y.y.y.y 0 6130 2828 4181
65528 i

* i x.x.x.x 0 100 0 6130 2828 4181
65528 i

* i96.61.232.0/24 x.x.x.x 0 100 0 6130 2828 4181
65527 i

*> y.y.y.y 0 6130 2828 4181
65527 i

* i96.61.233.0/24 x.x.x.x 0 100 0 6130 2828 4181
65527 i

*> y.y.y.y 0 6130 2828 4181
65527 i

* i96.61.234.0/24 x.x.x.x 0 100 0 6130 2828 4181
65527 i

*> y.y.y.y 0 6130 2828 4181
65527 i

*> 148.207.2.0/24 y.y.y.y 0 6130 2828 3257
16531 13579 65090 i

* i x.x.x.x 0 100 0 6130 2828 3257
16531 13579 65090 i

*> 148.207.40.0/24 y.y.y.y 0 6130 2828 3257
16531 13579 65090 i

* i x.x.x.x 0 100 0 6130 2828 3257
16531 13579 65090 i

*> 148.207.97.0/24 y.y.y.y 0 6130 2828 3257
16531 13579 65090 i

* i x.x.x.x 0 100 0 6130 2828 3257
16531 13579 65090 i

* 170.34.100.0/24 y.y.y.y 0 6130 19151 20115
65011 ?

* 170.34.104.0/24 y.y.y.y 0 6130 19151 20115
65011 ?

* 170.34.113.0/24 y.y.y.y 0 6130 19151 20115
65011 ?

* i174.35.1.0/24 x.x.x.x 0 100 0 6130 16467 64565
i

* i174.47.199.0/24 x.x.x.x 0 100 0 6130 2828 4323
15065 65123 i

*> y.y.y.y 0 6130 2828 4323
15065 65123 i

* i192.109.61.0 x.x.x.x 0 100 0 6130 19151 20115
65011 i

*> y.y.y.y 0 6130 19151 20115
65011 i

*> 196.216.249.0 y.y.y.y 0 6130 2828 3257
8513 8513 8513 36881 65000 36896 37062 i

* i x.x.x.x 0 100 0 6130 2828 3257
8513 8513 8513 36881 65000 36896 37062 i

   Network Next Hop Metric LocPrf Weight Path

*> 209.172.69.128/30

                    y.y.y.y 0 6130 16467 64565
i

* i x.x.x.x 0 100 0 6130 16467 64565
i

*> 213.146.161.0 y.y.y.y 0 6130 2828 174
64679 48493 i

* i x.x.x.x 0 100 0 6130 2828 174
64679 48493 i

Thomas Magill
Network Engineer

Office: (858) 909-3777

Cell: (858) 869-9685
mailto:tmagill@providecommerce.com

provide-commerce
4840 Eastgate Mall

San Diego, CA 92121

ProFlowers <http://www.proflowers.com/> | redENVELOPE
<http://www.redenvelope.com/> | Cherry Moon Farms
<http://www.cherrymoonfarms.com/> | Shari's Berries
<http://www.berries.com/>

Thomas Magill wrote:

I am thinking about implementing a filter to block all traffic with
private AS numbers in the path. I see quite a few in my table though so
I am concerned I might block some legitimate traffic. In some cases,
these are just prefixes with the private appended to the end but a few
have the private as a transit. Is this a good idea or would I likely be
blocking too much legitimate traffic? The filter I am using currently
shows the following:

I filter private asn's and have not had any reachability problems
related to that. I suspect most of the routes you see with a private
ASN in the path are covered by a less specific route without any
private ASN in the path. Someone used a private ASN with their
customer and forgot to filter it to their upstreams/peers.

- Kevin

I am also curious about blocking legitimate traffic. I just implemented
a filter to remove routes with a private-AS anywhere in the path. Over
200 routes were filtered.

I spot checked a few prefixes:

A few had a covering prefix
A few prefixes were originated by a non-private AS and a private AS and
would have otherwise been accepted if Cogent (In my case) had that route
as a best path
And a few prefixes just won't be reachable by my customers.

If anyone wants to see what I filtered out:http://pastebin.com/AFyYrfZk
<http://pastebin.com/AFyYrfZk>