Recommendation: Deploy Peerlock

Operators who deploy Peerlock will many of the of the route leaking and BGP Hijacking risk. Peer-Lock is an optimized AS-Path Filtering technique. The foundation is not new. We have been using AS Path Filtering for decades. What is new is the approach, using the AS-Path filter together with a written peering agreement. 

Does it work? Yes, Peerlock-lite is a deployed and proven safeguard for types of BGP prefix leaks and BGP hijacks. NTT has illustrated the deployability of the Peerlock approach. This is explicit AS-Path Filter based on the assumptions that a normal Operators will not sell transit to their upstream and major peers.

The Peerlock Lite policy rejects any prefixes you receive from your customers which contain a

$bignetwork ASN anywhere in the AS_PATH. Here is a Cisco IOS example:

ip as-path access-list 99 permit \

_(174|209|286|701|1239|1299 \

|2828|2914|3257|3320|3356 \

|3549|5511|6453|6461|6762 \

|7018|12956)_

route-map ebgp-customer-in deny 1

match as-path 99

A good video to gain context is Job Snijders (NTT) NANOG talk Everyday practical BGP filtering (video)(PDF).


Back to the main guide BGP Route Hijacks & Routing Mistakes – What can be done Today?

These BGP security materials are provided to help people around the Internet understand how do their part to deploy a more resilient BGP infrastructure.  Seek out more information on www.senki.org.