On 30 May 2004, at 12:16, Gordon Smith wrote:
One thing that noone seems to have noticed yet, is
that using TCNZ for
transit in this way is virtually impossible due to the manner in which
they route traffic. TCNZ use BGP communities to tag and filter, as did
Clear before them.
It's common practice to tag routes where you learnt them with
sufficient granularity that you can use those tags in place of explicit
prefix filters in your export policy (e.g. "this was learnt from a
customer", "this was learnt from a peer", etc). If there is any ISP
here not doing this, I strongly advise them to start. It'll save you no
end of grief.
So ingress and egress paths are filtered at the
It's good practice to filter routes received from any external router,
whether at an exchange point or not.
There have been numerous examples of unscrupulous people getting
something for nothing by exploiting weaknesses in the routing policies
of large providers. This is not a recent innovation.
However, it is not the case that by peering or even simply connecting
to an exchange point you inevitably make yourself vulnerable to these
things. Connecting your routers to other routers which are not
controlled by you always involves a certain amount of risk, but if done
properly the risk is very small (and there's always a layer 8/9 hammer
as a last resort to smite persistent offenders).
If I had bothered to make any slides for my BGP ramblings in Auckland
last year, I'd point you at them. Of course, I didn't, so I can't.