Community discussions

MikroTik App
 
hashirvani
just joined
Topic Author
Posts: 3
Joined: Fri Nov 28, 2014 2:12 pm
Contact:

How to Block BGP AS to my network?

Wed Jun 15, 2022 1:43 am

hi dears

i need solution for block one or more ASN Source to my bgp. Does anyone have a solution?
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: How to Block BGP AS to my network?

Wed Jun 15, 2022 2:13 am

If you're taking full tables, you can block the outbound traffic by installing routes for that ASN as blackhole routes using a routing filter.

For inbound, you'd have to talk with your upstream and see if they have BGP communities that will allow selective 'no-export' for the ASN in question.
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: How to Block BGP AS to my network?

Thu Jul 21, 2022 6:09 am

This is a little stale but I was catching up on posts and figured I'd comment.

Outbound is easy because as ipanetengineer pointed out; you have routing filters. Whether or not you can do what you want in terms of inbound is very topology dependent and is pretty much impossible to do in an absolute or foolproof manner.

You can't send your prefix(es) to your upstream with NO_EXPORT. The effect of this would be to ensure that only your upstream provider's direct customers or anybody accepting default from them can reach you. Since that won't work, ipanetengineer pointed out that you could try and arrange a selective NO_EXPORT towards some of *their* peers and also for them to agree to not announce your prefix to the target AS if they peer directly. Regardless, by necessity, some directions out of their network will still require your prefix being advertised *without* NO_EXPORT so that the whole rest of the internet can reach you.

Consider this scenario:
noexport.png
Even if you arrange with your provider (big_provider_a) to do this and they honor your request, one of their other peers (big_provider_c) will probably receive a copy without NO_EXPORT. Perhaps this is because when you implemented it, they weren't the best path to bad_as. If bad_as now gets a direct link to big_provider_c, you don't have an arrangement with big_provider_c to do the same thing. What's more, big_provider_c and big_provider_b may peer and big_provider_b will have two copies of your route: one with NO_EXPORT and the other without. They know nothing of the arrangement and they'll honor the NO_EXPORT if they choose that as their best path. But they may not, and this will lead to them leaking the other copy further on.

Ultimately, BGP is designed to enable connectivity and autonomy. If you announce a prefix, you should assume it's either for your peer only or for the whole world. Anything in between those two extremes is very hard to influence. If you don't want an AS to be able to reach you, the most foolproof tool you have is to look up the address space they originate and filter the traffic by source IP once it reaches you.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 15 guests