Filtering Long Paths

Filter Long AS Paths

Purpose

Some networks go completely overboard on the number of pre-pending AS numbers. And as it is a known attack from the past for AS paths longer than 256 AS numbers .. you might want to filter on max number of AS numbers.

There are at the moment of writing this page some prefixes with about 40 ASn’s in the AS_Path. So a filter of more than 50 should give no additional filtered prefixes.

A safe number on the filter would be on 100 AS’s in the AS_PATH.

Configuration Examples

BIRD

function reject_long_aspaths()
{
    if ( bgp_path.len > 100 ) then {
        print "Reject: Too long AS path: ", net, " ", bgp_path;
        reject;
    }
}

Junos

policy-options {
  policy-statement bgp-import-policy {
  term no-long-paths {
      from as-path too-many-hops;
      then reject;
     }
   }
 }

 as-path too-many-hops ".{100,}";

Info about the original bug report : Link to kb article

IOS-XR

route-policy BGP_FILTER_IN
  if as-path length ge 100 then
    drop
  endif
end-policy

OpenBGPD

deny from any max-as-len 100

Mikrotik

RouterOS v6

This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.

/routing filter add chain=GENERIC_PREFIX_LIST bgp-as-path-length="65-4294967295" protocol=bgp action=discard comment=""

RouterOS v7

/routing/filter/rule
add chain="GENERIC_PREFIX_LIST" rule="if (bgp-path-len >= 100 ){ reject }"

Nokia SR OS

#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
        policy-options
            begin
            policy-statement "BGP_FILTER_IN"
                entry 40
                    from
                        as-path-length 100 or-higher
                    exit
                    action drop
                    exit
                exit
            exit
            commit
        exit
----------------------------------------------

#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 40 from as-path-length 100 or-higher
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 40 action drop
/configure router policy-options commit

#
# MD-CLI
#
[gl:configure policy-options]
policy-statement "BGP_FILTER_IN" {
    entry 40 {
        from {
            as-path {
                length {
                    value 100
                    qualifier or-higher
                }
            }
        }
        action {
            action-type reject
        }
    }
}

#
# Paste-friendly MD-CLI blob
#
/configure policy-options policy-statement "BGP_FILTER_IN" { }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 40 }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 40 from }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 40 from as-path }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 40 from as-path length value 100
/configure policy-options policy-statement "BGP_FILTER_IN" entry 40 from as-path length qualifier or-higher
/configure policy-options policy-statement "BGP_FILTER_IN" entry 40 action action-type reject

Huawei VRP

route-policy TRANSIT-V4-IN deny node 120
 if-match as-path length greater-equal 100 less-equal 2047

Arista

route-map BGP_FILTER_IN deny 10
   match as-path length >= 100