Filtering Known Transit Networks

Filter Known Transit Networks in AS Paths

Purpose

Across an IXP, Tier 2 and Tier 3 networks should not be announcing prefixes with a transit network in the AS Path which is ‘probably’ not one of their customers. And you should also for the same reason, not accept any of them via one of your customers if they are not in the business of providing transit to companies like Level3, NTT or Telia.

There was a presentation at Nanog by Job Snijders that explains more about the topic. Presentation in PDF

Be aware that you need to manually check the prefix list as you could peer with for instance Microsoft of other parties on the list.. So you need to do a quick sanity check on the AS numbers to fit your need.

Target import policy : customers and IXP peering

Configuration Examples

BIRD

define TRANSIT_ASNS = [ 174,                  # Cogent
                        209,                  # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
                        701,                  # UUNET
                        702,                  # UUNET
                        1239,                 # Sprint
                        1299,                 # Telia
                        2914,                 # NTT Communications
                        3257,                 # GTT Backbone
                        3320,                 # Deutsche Telekom AG (DTAG)
                        3356,                 # Level3
                        3549,                 # Level3
                        3561,                 # Savvis / CenturyLink
                        4134,                 # Chinanet
                        5511,                 # Orange opentransit
                        6453,                 # Tata Communications
                        6461,                 # Zayo Bandwidth
                        6762,                 # Seabone / Telecom Italia
                        7018 ];               # AT&T
function reject_transit_paths()
int set transit_asns;
{
        transit_asns = TRANSIT_ASNS;
        if (bgp_path ~ transit_asns) then {
                print "Reject: Transit ASNs found on IXP: ", net, " ", bgp_path;
                reject;
        }
}


...

filter transit_in {
        reject_bogon_asns();
        reject_bogon_prefixes();
        reject_long_aspaths();
        reject_small_prefixes();
        reject_default_route();

...

        honor_graceful_shutdown();
        accept;
}

filter ixp_in {
        reject_bogon_asns();
        reject_bogon_prefixes();
        reject_long_aspaths();
        reject_transit_paths();
        reject_small_prefixes();
        reject_default_route();

...

        honor_graceful_shutdown();
        accept;
}

Junos

policy-options {
  policy-statement bgp-import-policy {
    term no-transit-leaks {
        from as-path no-transit-import-in;
        then reject;
    }
   }
 }

 as-path no-transit-import-in ".* (174|209|701|702|1239|1299|2914|3257|3320|3356|3549|3561|4134|5511|6453|6461|6762|7018) .*";

IOS-XR

as-path-set TRANSIT_AS
  ios-regex '.* (174|209|701|702|1239|1299|2914|3257|3320|3356|3549|3561|4134|5511|6453|6461|6762|7018) .*'
end-set
!
route-policy BGP_FILTER_IN
  if as-path in TRANSIT_AS then
    drop
  endif
end-policy

OpenBGPD

deny from $IXP transit-as {174,209,701,702,1239,1299,2914,3257,3320,3356,3549,3561,4134,5511,6453,6461,6762,7018}

($IXP represents a list of IXP peers or Route Servers)