From c1eb59cecfa9dd385b6ba4d550e42d945f3b9222 Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Wed, 7 Feb 2024 17:15:44 +0100 Subject: [PATCH] initial text for max prefix incoming --- docs/guides/route_filtering/inbound/max_prefix.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/guides/route_filtering/inbound/max_prefix.md b/docs/guides/route_filtering/inbound/max_prefix.md index e69de29..16cd2df 100644 --- a/docs/guides/route_filtering/inbound/max_prefix.md +++ b/docs/guides/route_filtering/inbound/max_prefix.md @@ -0,0 +1,14 @@ +# Maximum Prefix + +This parameter is configured for each eBGP session and is the simplest and easiest security measure you can use. Unfortunately, many stop here. Please do not. + +Maximum prefix defines a limit for the number of prefixes you accept from an eBGP peer. If the peer sends more, the eBGP session is shut down. Usually, routers keep the session down for some time, then it is automatically re-enabled. If the peer still sends more prefixes than allowed, it is shut down again. + +For selecting this limit, the following rules of thumb can be used: + +- For sessions to *peers*, the limit should be less than the total number of prefixes in the Internet. Set it at least to ten times the normal number of prefixes your peer announces. This protects you against your peer announcing the full routing table to you, but still allows normal growth. Check and adjust from time to time (or even better: Automate this). +- For sessions to your *upstream* provider, you must, of course, set the limit higher than the total number of prefixes in the Internet. It must be high enough to accommodate normal growth, so either set it *very* high or check and adjust it regularly. Otherwise, there can be surprising session shutdowns. This protects you against gross misconfigurations at your upstream provider (like sending you a lot of de-aggregated prefixes). + +If you want to automate this, at [PeeringDB](https://peeringdb.com) networks can publish suggested values for maximum prefix. + +Also, keep in mind that maximum prefix for IPv4 and IPv6 are two different values.