ISP Policies

Hi,

I have a general policy question.

Do the ISPs ever look for some particular AS number in the BGP AS_PATH and then decide what action/preference/priority they need to take/give based on the AS number(s) present in the BGP AS_PATH_SEQ/SET? For instance, does it happen that an ISP receives some BGP paths, but because of some political, social, economical, DOS attack, etc. reasons decides that it doesn't want to accept this path because some particular AS number is present in the BGP UPDATE.

Basically, it doesn't want *its* traffic to flow via that particular AS number(s).

Or, if there is a mutual disagreement between two ISPs, and one doesn't want his traffic to traverse the other's AS number.

Does this sort of thing ever happen? Are such restrictive policies normal in the ISP/IX scenarios?

Thanks,
Tulip

yes.

So can you give me an example of why and when would an ISP *not* want its traffic to flow via some other AS(es). Is it a normal policy to have, and do most of the ISPs have such policies in place?

Thanks,
Tulip

Tulip Rasputin wrote:

So can you give me an example of why and when would an ISP *not* want its traffic to flow via some other AS(es). Is it a normal policy to have, and do most of the ISPs have such policies in place?

If you don't have a transit agreement and aren't sitting in the top tier peering list, you will not want traffic to flow via some other AS(es) as they may be blocking your advertisements inbound. This is really a "tier" question. Most end-node ASNs you will find do not want to provide transit traffic between their upstream ISPs (asking for trouble and bandwidth saturation) or at least make it a short-term emergency act of altruism.

You may have "dedicated" circuits or bandwidth or CIRs for certain services from YOUR ASN only. They may not accept traffic that doesn't originate in your ASN and you're wasting time to try. Part marketing, part business, part political as what transit you will support (and what transit your upstream(s) support).

In more practical terms, we have dedicated circuits for H.323 video, an IPSec link to our parent campus with the university-wide SAP/R3 traffic, another link restricted to ESNet (immediate peers only). For a commercial ISP your mileage may vary as you are, above a certain level, providing transit between different administrative domains (or ASNs, or whatever). You can do this with statics, with policy routing (or null routing), or in a local OSPF or whatever routing mechanism you have at your border.

Jeff

Hi,

I have a general policy question.

Do the ISPs ever look for some particular AS number in the BGP AS_PATH and
then decide what action/preference/priority they need to take/give based on
the AS number(s) present in the BGP AS_PATH_SEQ/SET?

This happens all the time, but probably not quite the way you asked about it.
What does happen is that that preference for outgoing traffic is decided
based on the AS path, I use this extensively and most of my route-maps are
using "match as-path" for deciding which upstream link to send traffic to.

And really what else do you expect multihomed downstream isp to do if one
upstream is known to have congestion on their link to another tier1 but
your other upsream does not have the same problem on their link to the
same tier1?

For instance, does it happen that an ISP receives some BGP paths, but
because of some political, social, economical, DOS attack, etc. reasons
decides that it doesn't want to accept this path because some particular
AS number is present in the BGP UPDATE.

BGP based filters also exist, but there appear to be no rules about when
its good to set it up, so its quite rare and entire up to engineer at isp
to decide if he wants to do as-path based filter or access-list based filter.
And while I've never seen any discussion about it, I know that some people
mentioned that they have done it to some known spammer as##. But much more
common is to use access-list and do filters based on ip blocks.

And you're correct that some people have used it during DoS attacks for
quick filtering until they could fully discuss it with isp in question.
Usually again you'd use access-list and filter particular ip block, but if
bad traffic appears to be coming from multiple ip blocks all from the same
isp, its quicker to just filter it entirely until situation is resolved.

Basically, it doesn't want *its* traffic to flow via that particular AS
number(s). Or, if there is a mutual disagreement between two ISPs, and
one doesn't want his traffic to traverse the other's AS number.

Does this sort of thing ever happen? Are such restrictive policies normal in
the ISP/IX scenarios?

They are not "normal", but does happen. You really can't force somebody
else to accept your traffic if they dont want to. So you should behave
nice to your fellow isps and only send good traffic and have good
customers and then nobody would want to filter you

Once upon a career, I was involved with shipping cargo via ocean vessel to Kuwait (and other Arab countries). We had to provide signed affadavits from the ships owners that the carrying vessels were neither Israeli owned nor would call any Israeli ports during the voyage.

If Arab countries' ISP's were to follow the same political philosophy, I could see them filtering accordingly.

In short, politics.

Is it 'normal'?

Boy, is that a loaded question

--Peter Wohlers

Tulip Rasputin wrote: