Operators deploying Peerlock mitigate many route leak and BGP Hijacking risks. Peer-Lock is an optimized AS-Path Filtering technique. The foundation is not new. We have been using AS Path Filtering for decades. The new approach uses the AS-Path filter and a written peering agreement.
Job Snijders pioneered and championed Peerlock while @ NTT (see NTT Peer Locking – Deployment of NTT “Peer Locking” Route Leak Prevention Mechanism.) In this approach, each organization would create a document like NTT. They would then work with each of their peers to deploy BGP Peerlock.
Does it work? Yes, Peerlock-lite is a deployed and proven safeguard for types of BGP prefix leaks and BGP hijacks. NTT has illustrated the deployability of the Peerlock approach. This is an explicit AS-Path Filter based on the assumption that normal Operators will not sell transit to their upstream and major peers.
The Peerlock Lite policy rejects any prefixes you receive from your customers that contain a
$bignetwork ASN anywhere in the AS_PATH. Here is a Cisco IOS example: ip as-path access-list 99 permit \ _(174|209|286|701|1239|1299 \ |2828|2914|3257|3320|3356 \ |3549|5511|6453|6461|6762 \ |7018|12956)_ route-map ebgp-customer-in deny 1 match as-path 99
A good video to gain context is Job Snijders NANOG talk Everyday practical BGP filtering (video)(PDF).
Back to the leading guide BGP Route Hijacks & Routing Mistakes – What Can Be Done Today?
These BGP security materials are provided to help people around the Internet understand how to do their part to deploy a more resilient BGP infrastructure. Seek out more information at www.senki.org.