Routing Security Best Practices

The Authoritative Resource

For detailed, vendor-specific implementation guidance on BGP filtering and routing security, use the NLNOG BGP Filter Guide.

This is the industry-standard reference maintained by the Netherlands Network Operators Group. It provides concrete configurations for:

RPKI validation
Bogon filtering (ASNs and prefixes)
Prefix length limits
AS path sanitization
IXP peering LAN prefix filtering
Transit network filtering

Why Routing Security Matters

BGP was designed in an era of trust. Any AS can announce any prefix, and by default, the Internet believes it. This creates vulnerabilities:

Route hijacks redirect traffic to attackers
Route leaks propagate routes beyond their intended scope
Prefix hijacking enables interception, DDoS, and fraud

Real incidents have taken down major services, caused international incidents, and enabled cryptocurrency theft.

MANRS: The Framework

MANRS (Mutually Agreed Norms for Routing Security) defines four concrete actions:

Filtering - Prevent propagation of incorrect routing information
Anti-spoofing - Prevent traffic with spoofed source addresses
Coordination - Maintain accurate contact information and respond to incidents
Validation - Deploy RPKI and maintain IRR objects

MANRS is free to join and demonstrates your commitment to routing security.

RPKI in Practice

Resource Public Key Infrastructure cryptographically validates prefix announcements.

For Prefix Holders

Create ROAs (Route Origin Authorizations) via your RIR:

Log into your RIR's RPKI portal (ARIN, RIPE, APNIC, LACNIC, AFRINIC)
Create ROAs for all prefixes you announce
Specify: prefix, max-length, origin ASN
Keep ROAs synchronized with actual announcements

For Network Operators

Implement ROV (Route Origin Validation):

Deploy an RPKI validator (Routinator, FORT, rpki-client)
Configure routers to query the validator
Apply policies:
- Valid: accept/prefer
- Invalid: reject or deprioritize (start with logging)
- NotFound: accept (most prefixes lack ROAs currently)

Critical: Don't blindly drop Invalid routes without understanding the impact. Start with monitoring.

Key Tools and Resources

Implementation Guides

NLNOG BGP Filter Guide - Vendor-specific configurations
NLNOG IRR Explorer - Debug IRR configurations
MANRS.org - Framework and community support

Monitoring

RIPE RIS - Route collectors
RouteViews - Global BGP data
BGPmon - Alerting service
Is BGP Safe Yet? - RPKI deployment tracking

Validation

RIPE Validator - RPKI validation
Cloudflare RPKI Toolkit - Testing and validation

What the NLNOG Guide Covers

The NLNOG BGP Filter Guide provides implementation details for:

Basic Hygiene

Rejecting routes with bogon ASNs in AS_PATH
Rejecting bogon prefixes
Filtering too-specific prefixes (< /24 IPv4, < /48 IPv6)
Filtering routes with excessively long AS paths

RPKI Integration

Rejecting RPKI Invalid routes
SLURM configuration for local trust anchors
Vendor-specific RPKI validation configs

Advanced Filtering

Preventing IXP peering LAN prefix leaks
Filtering known transit networks in AS_PATH (prevents route leaks)
Stripping excess BGP communities
Graceful shutdown procedures

Vendor Coverage

The guide includes configurations for major vendors:

Cisco IOS / IOS-XR
Juniper JunOS
Nokia SR OS
Arista EOS
Bird / OpenBGPD / FRR

Beyond Filtering: Operational Security

Anti-Spoofing (BCP 38 / RFC 2827)

Implement source address validation on customer interfaces. This prevents DDoS attacks using spoofed sources.

Implementation: Use uRPF (Unicast Reverse Path Forwarding) in strict mode on customer links.

IRR Maintenance

Keep Internet Routing Registry objects current:

route/route6 objects for all announced prefixes
aut-num documenting routing policy
as-set objects for hierarchical representation

Authenticate your IRR objects using PGP or other RIR-provided mechanisms.

Incident Response

When you detect problems:

Verify using multiple vantage points (looking glasses, route collectors)
Contact the originating AS (use PeeringDB contacts)
Coordinate via NOG mailing lists if widespread
Document and share learnings post-incident

Automation

Generate filters from authoritative sources:

RPKI for origin validation
IRR for customer route filtering
Automated prefix list generation from IRR objects

Use configuration management (Ansible, Salt) to deploy consistently.

Common Mistakes

Over-filtering: Being too aggressive can break legitimate connectivity. Test filters before production deployment.

Under-maintaining: Filters become stale. Review quarterly at minimum.

Ignoring RPKI Invalid: Monitoring Invalid routes teaches you about misconfigurations. Many are legitimate errors, not attacks.

Blocking all ICMPv6: Required for IPv6 operation. Filter selectively, not wholesale.

No documentation: Document why each filter exists. Future you will thank past you.

Getting Started

Read the NLNOG BGP Filter Guide
Join MANRS
Deploy basic hygiene filters (bogons, prefix lengths)
Create ROAs for your prefixes
Implement RPKI validation (start with monitoring)
Maintain IRR objects
Monitor and iterate

Start small. Even basic filtering significantly improves Internet security.

BGP Essentials - Understand BGP fundamentals
Network Automation - Automate filter deployment
Community Engagement - Coordinate on security issues
Glossary - Security terminology reference

Sources:

The Authoritative Resource​

Why Routing Security Matters​

MANRS: The Framework​

RPKI in Practice​

For Prefix Holders​

For Network Operators​

Key Tools and Resources​

Implementation Guides​

Monitoring​

Validation​

What the NLNOG Guide Covers​

Basic Hygiene​

RPKI Integration​

Advanced Filtering​

Vendor Coverage​

Beyond Filtering: Operational Security​

Anti-Spoofing (BCP 38 / RFC 2827)​

IRR Maintenance​

Incident Response​

Automation​

Common Mistakes​

Getting Started​

Related Topics​