On 30 May 2004, at 12:16, Gordon Smith wrote:

One thing that noone seems to have noticed yet, is that using TCNZ for transit in this way is virtually impossible due to the manner in which they route traffic. TCNZ use BGP communities to tag and filter, as did Clear before them.

It's common practice to tag routes where you learnt them with sufficient granularity that you can use those tags in place of explicit prefix filters in your export policy (e.g. "this was learnt from a customer", "this was learnt from a peer", etc). If there is any ISP here not doing this, I strongly advise them to start. It'll save you no end of grief.

So ingress and egress paths are filtered at the exchange points.

It's good practice to filter routes received from any external router, whether at an exchange point or not. There have been numerous examples of unscrupulous people getting something for nothing by exploiting weaknesses in the routing policies of large providers. This is not a recent innovation. However, it is not the case that by peering or even simply connecting to an exchange point you inevitably make yourself vulnerable to these things. Connecting your routers to other routers which are not controlled by you always involves a certain amount of risk, but if done properly the risk is very small (and there's always a layer 8/9 hammer as a last resort to smite persistent offenders). If I had bothered to make any slides for my BGP ramblings in Auckland last year, I'd point you at them. Of course, I didn't, so I can't. Joe