On Thu, Aug 7, 2025 at 5:48 AM Jeffrey Haas <[email protected]> wrote: > AS_SETs are a lovely place to drop such poisoning.
TIL AS_SET has also been used for aspath poisoning, this might be less effective as some implementation simply ignores AS_SET which complicates aspath length calculation / origin ASN matching / AS relationship matching. > > On Aug 7, 2025, at 5:34 AM, Joe Abley > > <[email protected]> wrote: > > > > I prepended 1221 to the routes I went towards US providers for the purpose > > of poisoning those routes and making them unacceptable to 1221 routers who > > might otherwise learn them. > > > > This was effective. It served a purpose. It wasn't malicious and it wasn't > > intended to impersonate anybody or hijack anything. The 1221 people knew I > > was doing it, and perhaps they had given up complaining about my > > shenanigans by that point but they didn't tell me to stop. > > > > I have always thought of AS_PATH as a loop avoidance mechanism, and that's > > precisely how it was being used here. > > > > Was it wrong? Was it a bad idea? If you (collectively) think yes, can you > > say why? aspath poisoning could be a useful tool especially when other options are not available, but some kind of warning is probably warranted ("are you really sure this is what you want?") * could cause unintended reachability issues (especially for downstream customers of a transit ASN getting third-party prepended / absence of non-poisoned aggregate covering the prefix) * causing noise in route hijack monitoring (false positive route leak / peer lock failure alerts) by putting ASNs not on path into aspath attribute * creating confusion on which network is doing prepending (who to contact when this setup causes issues), especially when multiple third-party ASNs are injected (a vector used for an unordered_set) Yang _______________________________________________ GROW mailing list -- [email protected] To unsubscribe send an email to [email protected]
