Operators who deploy Peerlock will many of the of the route leaking and BGP Hijacking risk. Peer-Lock is an optimized AS-Path Filtering technique. The foundation is not new. We have been using AS Path Filtering for decades. What is new is the approach, using the AS-Path filter together with a written peering agreement.
Does it work? Yes, Peerlock-lite is a deployed and proven safeguard for types of BGP prefix leaks and BGP hijacks. NTT has illustrated the deployability of the Peerlock approach. This is explicit AS-Path Filter based on the assumptions that a normal Operators will not sell transit to their upstream and major peers.
The Peerlock Lite policy rejects any prefixes you receive from your customers which contain a
$bignetwork ASN anywhere in the AS_PATH. Here is a Cisco IOS example: ip as-path access-list 99 permit \ _(174|209|286|701|1239|1299 \ |2828|2914|3257|3320|3356 \ |3549|5511|6453|6461|6762 \ |7018|12956)_ route-map ebgp-customer-in deny 1 match as-path 99
A good video to gain context is Job Snijders (NTT) NANOG talk Everyday practical BGP filtering (video)(PDF).
Back to the main guide BGP Route Hijacks & Routing Mistakes – What can be done Today?
These BGP security materials are provided to help people around the Internet understand how do their part to deploy a more resilient BGP infrastructure. Seek out more information on www.senki.org.