We have learned in the community that it is safer to have all prefixes with one BGP Community. That means a BGP community will be required for the route to get advertised to a peer. Granted, each prefix might have multiple BGP Communities, but the requirement that each must have at least one BGP community provides a safety check.
The policy would be All prefixes must have a minimum of one BGP community to enable the prefix to be shared with peers or customers. This means the BGP rule for the Community filter will be an “explicit deny” filter – denying all prefixes without BGP communities and only permitting prefixes with explicitly permitted BGP communities.
This technique prevents routing incidents like the Pakistan – Youtube incident. A Remote Triggered Black Hole (RTBH) that would have leaked would not get blocked if there was not a matching BGP Community.
In the past, we would call this approach a “Murphy Filter.” Murphy = Murphy’s Law and Murphy’s Law of Networking. It assumes the worse is going to happen on the network right when you do not need an incident. If you design your network with Murphy’s Law of Networking, then you will assume that the BGP prefix filter will fail. Using a “Murphy filter” is thinking of the time when the unexpected filter failure happens.
Back to the main guide BGP Route Hijacks & Routing Mistakes – What can be done Today?
These BGP security materials are provided to help people around the Internet understand how do their part to deploy a more resilient BGP infrastructure. Seek out more information on www.senki.org.