Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

"Jakob Heitz (jheitz)" <> Fri, 05 May 2017 22:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81668128D40; Fri, 5 May 2017 15:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F83QivRlhhgp; Fri, 5 May 2017 15:09:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 58E5E126E64; Fri, 5 May 2017 15:09:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=34181; q=dns/txt; s=iport; t=1494022162; x=1495231762; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=8K4qNcY1N1wODb4QOMt6LWi9tcQnjSakP4Ypjho8ofk=; b=Sdq1sUvqejsUxr3ENKDuSSI7waqK/9xS/QNju37ywTGQuOZQsofZBjdX OUCH+opXYsibDwURH3WsS20iBS7LXngLm0qH7hrxTm+jwMAyJ9vy8YVcj /swyrSYtGQzLXs+wcBFXuLKqek1GxdmkLWmEeQl1I5/kPdZjFve/46obh k=;
X-Files: showbgp2policy.c : 17650
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.38,294,1491264000"; d="c'?scan'208,217";a="420331806"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 May 2017 22:09:21 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id v45M9LB6032239 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 5 May 2017 22:09:21 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 5 May 2017 17:09:20 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Fri, 5 May 2017 17:09:20 -0500
From: "Jakob Heitz (jheitz)" <>
To: idr wg <>, "" <>
Thread-Topic: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
Date: Fri, 05 May 2017 22:09:20 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/mixed; boundary="_004_0b84d588d67e420d9286f56ee45d49c2XCHALN014ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 May 2017 22:09:26 -0000

Even if violating router-os's are updated, leaks will continue for a long time.
I hope I can help on the filtering side. No RFC or vendor code change required.

I wrote an app in C that takes the output of "show bgp" and creates
a set of route-policies that will prevent the leaks.
It looks at the as-paths, finds your neighbors and then all their upstreams.
Then it writes as-path policies to allow only those upstreams for your neighbors.
You then use the policy in your neighbor inbound policies to either drop
or set a low localpref. There is a way to show the routes that are disallowed.
Sorry, it only works with Cisco.
The source is free for anyone to do whatever they want.
Other vendors can adapt it at will.

Compile it at a Linux command line; "cc showbgp2policy.c".
Sorry about the C, but python is not my mother tongue.
Start with num_policies of 30 and see how it looks.