«  
  »

Automated Route Filtering

The Manitoba Internet Exchange (MBIX) Operations Team has completed automating the route filtering performed on the MBIX route servers. Testing was performed over the course of October 12th and 13th on the new pelican2 RS2. The testing was so successful that RS1 was fully automated as well the evening of October 14th at 8PM local time.

Why was this done?

Internet Exchange Points (IXPs) that offer route servers but don’t do filtering have aided in the propagation of numerous malicious and accidental BGP hijacks over the past 12-18 months. This has been a hot topic on numerous technical mailing lists.

The other reason that the ops team wanted to automate route server filtering is because we are volunteers. Validating LOAs and adding new prefixes to route server filters manually takes time, and automation lets us use our volunteer time more efficiently.

How is this accomplished?

MBIX recently upgraded its route servers to newer hardware, and more modern Linux. Our route servers run BIRD. A piece of software called arouteserver is used to generate the BIRD configuration files.

At midnight and noon, RS1’s configuration files are regenerated, syntax is validated, then reloaded in BIRD. At 6AM and 6PM the same happens for RS2.

arouteserver pulls data from numerous sources automatically. It uses the AS-SET found in the IRR record field at peeringDB, IRR route objects in a configurable list of sources, ARIN whois OriginAS entries through a bulk export, and also RPKI ROAs.

What this means for MBIX Members?

For those who peer with the route server there is no longer any need to send PDF LOAs to the operations team. The best way to ensure that your routes pass through the MBIX route servers is by having IRR route objects for your routes. If you provide transit, have route objects for your customer routes.

You can view your current IRR objects using NLNOG’s IRR Explorer website. Search for your ASN, or your AS-SET.

Example: MBIX-connected, non-transit ASN with correct IRR:
http://irrexplorer.nlnog.net/search/AS395089

Special Thanks

A special thanks to Theo de Raadt and Job Snijders of YYCIX for pioneering the way and going first, and then encouraging us to do so as well. Theo de Raadt contacted many people and had them fix or create IRR entries — enough that we only had to contact one local network about one prefix that needed IRR created.

October 31st, 2018 | Category: IXP, News

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>