Strict route filtering at IX?

Hi NANOGers,

tl;dr What is the best practice for filtering a large number of
prefixes at an internet exchange?

Yesterday I ran into problems while writing new filtering rules for
my peerings at a local Exchange. My workflow probably has a flaw,
although it works fine for IPv6 (well, less prefixes there).

After the physical link was set up I startet a BGP session with the
route server of the exchange. A few minutes later some other AS
imported my prefix, e.g. those listed at HE[1]. I guess they filtered
"less strict" :slight_smile:
The next day the exchange's route server administrator added my AS-SET
to the AS-SET of the route server.

--- snip RIPE DB ---
as-set: AS-KLEYREX-RS1
descr: KleyReX Internet Exchange Frankfurt
--- snap ---

A few days have passed since then but the number of peers has not
increased as expected. Is this normal?
My mp-* entries look like this:

--- snip RIPE DB ---
aut-num: AS57821
mp-import: afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1
mp-export: afi ipv4.unicast to AS31142 announce AS-NONATTACHED
--- snap ---

Yesterday I thought about importing the route servers prefixes and, of
course, to filter them. Using rtconfig[2] I created a filter for BIRD[3]
like this:

--- snip bird.conf ---
if (prefix_too_long()) then reject;
@rtconfig printPrefixes "if (net ~ [ %p/%l+ ]) then accept;\n" filter
AS-KLEYREX-RS1 reject;
--- snap ---

This takes about 10-20 minutes and results in an very large config file
constiting of hundreds of prefixes in IPv4. The same config file for
IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so
I need to filter it somehow. BIRD sometimes segfaults when it is
advised to read those large filters.

So, here's the question: How do you filter at exchanges?
Where is the error in my workflow?
Is strict route filtering a myth?

Thanks for helping!



I use a mixture of BGP communities and prefix lists and it scales very
well for me .

Rgds Peter,

Afaik BCP is to not prefix- as-path/origing-filtering well maintained
routeservers at an IXP but simply put in max prefix limits.


Hi, Dan --

So, here's the question: How do you filter at exchanges?
Where is the error in my workflow?
Is strict route filtering a myth?

You can see if the route-servers at the IX already filter. For example,
this is the case at LONAP, where strict filters against RADB are built.

Networks with open policy and large numbers of peers will naturally find
it hard to filter peer *prefixes* on session config, because as you have
found the config quickly becomes large and unwieldy. As Arnold has said,
filtering with max-prefix and AS-path is more common on bilateral sessions.

My advice would be to encourage your IX operator to filter on the
route-servers, and rely on MLP derived adjacency for networks that you
want to peer with, but don't trust enough not to prefix-filter.