By rssfeeds-admin 
Border Gateway Protocol (BGP) filtering is critical for securing and optimizing internet routing. Improper BGP configuration can lead to serious issues like route leaks, hijacks, or suboptimal routing. Here are the most effective best practices for BGP filtering:
1. Prefix Filtering
Objective: Ensure only authorized prefixes are advertised or accepted.
- Outbound Filtering: Only advertise prefixes your AS owns or is authorized to originate.
- Use prefix-lists or route-maps. In mikrotik land use address lists in V7.
- Implement max-prefix limits per neighbor to prevent accidental route leaks.
- Inbound Filtering: Accept only valid prefixes from your peers or upstream providers.
- Validate against IRR/RPKI.
- Reject bogons (e.g., 0.0.0.0/8, 127.0.0.0/8).
- Limit accepted prefix lengths (e.g.,
/24for IPv4,/48for IPv6).
2. AS-PATH Filtering
Objective: Prevent propagation of incorrect or malicious AS paths.
- Reject prefixes with:
- Your own AS in the path (to avoid loops).
- Private AS numbers (unless explicitly needed).
- Excessively long AS paths (e.g., to avoid path poisoning).
- Use
as-path access-listsor regex matching to define rules.
3. Max-Prefix Limits
Objective: Avoid route table overflow or misconfigurations from neighbors.
- Set max-prefix limits on both eBGP and iBGP sessions.
- Include
warning-onlythresholds and shutdown actions.
4. Use RPKI Validation
Objective: Cryptographically validate route origin.
- Deploy RPKI (Resource Public Key Infrastructure):
- Validate Route Origin Authorizations (ROAs).
- Reject
Invalidroutes. - Prefer
ValidoverNotFound. - Some RPKI resources https://blog.j2sw.com/?s=rpki
5. Implement BGP Session Security
Objective: Prevent unauthorized BGP session establishment or manipulation.
- Use TCP MD5 authentication or TTL security (GTSM).
- Filter inbound TCP connections to port 179.
Not everyone is a fan of MD5 on BGP sessions. I have found several of the CDNs and content companies do not do MD5.
6. Route Flap Damping
Objective: Stabilize the routing table by penalizing flapping prefixes.
- Be conservative with damping to avoid blackholing valid prefixes. Too aggressive causes more support tickets.
- Use vendor-recommended or community-tuned settings.
7. Monitoring and Logging
Objective: Maintain situational awareness and facilitate troubleshooting.
- Use tools like:
- BGP monitoring tools (e.g., BGPMon, RIPE RIS, RouteViews).
- Flow analysis tools to verify traffic patterns.
- Syslog, SNMP, or NetFlow for event tracking.
8. Filter Bogon Prefixes
Objective: Block illegitimate IP address space.
- Use up-to-date bogon lists (e.g., from Team Cymru).
- Apply to both egress and ingress filters.
9. Filter Martian and Reserved IPs
Objective: Prevent misuse of special-use IP ranges.
- Examples:
- 0.0.0.0/8
- 127.0.0.0/8
- 169.254.0.0/16
- 224.0.0.0/4 (Multicast)
- ::/128 (IPv6 unspecified)
10. Maintain Clean BGP Communities
Objective: Enable policy control and route tagging.
- Define and document community policies clearly.
- Strip or rewrite communities as needed before advertising to peers.
Summary:
| Practice | Purpose |
|---|---|
| Prefix Filtering | Avoid leaking or accepting invalid routes |
| AS-PATH Filtering | Prevent loops, hijacks, and poisoning |
| Max-Prefix Limits | Protect router resources |
| RPKI | Ensure route origin authenticity |
| Session Security (MD5, GTSM) | Prevent session hijacking |
| Route Flap Damping | Improve stability |
| Monitoring & Logging | Improve visibility and auditing |
| Bogon/Martian Filtering | Drop invalid or reserved IPs |
| Community Management | Policy control and route tagging |
The post BGP Filtering Best practices for fun and security appeared first on j2sw Blog.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.