Filter Known Transit Networks in AS Paths
Purpose
Across an IXP, Tier 2 and Tier 3 networks should not be announcing prefixes with a transit network in the AS Path which is ‘probably’ not one of their customers. And you should also for the same reason, not accept any of them via one of your customers if they are not in the business of providing transit to companies like Level3, NTT or Telia.
There was a presentation at Nanog by Job Snijders that explains more about the topic. Presentation in PDF
Be aware that you need to manually check the prefix list as you could peer with for instance Microsoft of other parties on the list.. So you need to do a quick sanity check on the AS numbers to fit your need.
Target import policy : customers and IXP peering
Configuration Examples
BIRD
define TRANSIT_ASNS = [ 174, # Cogent
701, # UUNET
1299, # Telia
2914, # NTT Ltd.
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3491, # PCCW
4134, # Chinanet
5511, # Orange opentransit
6453, # Tata Communications
6461, # Zayo Bandwidth
6762, # Seabone / Telecom Italia
6830, # Liberty Global
7018 ]; # AT&T
function reject_transit_paths()
int set transit_asns;
{
transit_asns = TRANSIT_ASNS;
if (bgp_path ~ transit_asns) then {
print "Reject: Transit ASNs found on IXP: ", net, " ", bgp_path;
reject;
}
}
...
filter transit_in {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_small_prefixes();
reject_default_route();
...
honor_graceful_shutdown();
accept;
}
filter ixp_in {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_transit_paths();
reject_small_prefixes();
reject_default_route();
...
honor_graceful_shutdown();
accept;
}
Junos
policy-options {
policy-statement bgp-import-policy {
term no-transit-leaks {
from as-path no-transit-import-in;
then reject;
}
}
}
as-path no-transit-import-in ".* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*";
IOS-XR
as-path-set TRANSIT_AS
ios-regex '.* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*'
end-set
!
route-policy BGP_FILTER_IN
if as-path in TRANSIT_AS then
drop
endif
end-policy
OpenBGPD
deny from $IXP transit-as {174,701,1299,2914,3257,3320,3356,3491,4134,5511,6453,6461,6762,6830,7018}
($IXP represents a list of IXP peers or Route Servers
FRR (vtysh)
bgp as-path access-list peerings deny .* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*
VyOS
set policy as-path-list TRANSIT-ASNS rule 10 action 'permit'
set policy as-path-list TRANSIT-ASNS rule 10 description 'Well-known transit ASNs'
set policy as-path-list TRANSIT-ASNS rule 10 regex '.* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*'
set policy route-map PEERING-IN rule 20 action 'deny'
set policy route-map PEERING-IN rule 20 match as-path 'TRANSIT-ASNS'
Nokia SR OS
#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
policy-options
begin
as-path "TRANSIT_AS"
expression ".* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*"
exit
policy-statement "BGP_FILTER_IN"
entry 50
from
as-path "TRANSIT_AS"
exit
action drop
exit
exit
exit
commit
exit
#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options as-path "TRANSIT_AS" expression ".* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 50 from as-path "TRANSIT_AS"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 50 action drop
/configure router policy-options commit
#
# MD-CLI
#
[gl:configure policy-options]
as-path "TRANSIT_AS" {
expression ".* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*"
}
policy-statement "BGP_FILTER_IN" {
entry 50 {
from {
as-path {
name "TRANSIT_AS"
}
}
action {
action-type reject
}
}
}
#
# Paste-friendly MD-CLI blob
#
/configure policy-options as-path "TRANSIT_AS" expression ".* (174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018) .*"
/configure policy-options policy-statement "BGP_FILTER_IN" { }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 50 }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 50 from }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 50 from as-path name "TRANSIT_AS"
/configure policy-options policy-statement "BGP_FILTER_IN" entry 50 action action-type reject
Mikrotik
RouterOS v7
/routing/filter/num-list
add list=TRANSIT_ASNS range=174 comment="Cogent"
add list=TRANSIT_ASNS range=701 comment="UUNET"
add list=TRANSIT_ASNS range=1299 comment="Telia"
add list=TRANSIT_ASNS range=2914 comment="NTT Ltd."
add list=TRANSIT_ASNS range=3257 comment="GTT Backbone"
add list=TRANSIT_ASNS range=3320 comment="Deutsche Telekom AG (DTAG)"
add list=TRANSIT_ASNS range=3356 comment="Level3"
add list=TRANSIT_ASNS range=3491 comment="PCCW"
add list=TRANSIT_ASNS range=4134 comment="Chinanet"
add list=TRANSIT_ASNS range=5511 comment="Orange opentransit"
add list=TRANSIT_ASNS range=6453 comment="Tata Communications"
add list=TRANSIT_ASNS range=6461 comment="Zayo Bandwidth"
add list=TRANSIT_ASNS range=6762 comment="Seabone / Telecom Italia"
add list=TRANSIT_ASNS range=6830 comment="Liberty Global"
add list=TRANSIT_ASNS range=7018 comment="AT&T"
/routing/filter/rule
add chain=NO-TRANSIT-IN rule="if (bgp-as-path [[:TRANSIT_ASNS:]]){ reject }"
Arista EOS
ip as-path regex-mode asn
!
ip as-path access-list TRANSIT-ASNS permit _(174|701|1299|2914|3257|3320|3356|3491|4134|5511|6453|6461|6762|6830|7018)_ any
!
route-map IX-PEER-IN deny 10
match as-path TRANSIT-ASNS
!
Huawei VRP
ip as-path-filter filter_IX_AS_Path index 10 permit _(174|701|702|703|1299|2914|3257|3320)_
ip as-path-filter filter_IX_AS_Path index 20 permit _(3356|3491|4134|5511|6453|6461|6762|6830|7018)_
route-policy IX-V4-IN deny node 130
if-match as-path-filter filter_IX_AS_Path