region-validation confed-check strict(BGP-IPv4 unicast address family view)

Usage Scenario

Internet security events are emerging one after another. Route hijacking and leakage events may cause route blackholes, traffic eavesdropping, and large-scale denial of service (DoS) attacks, greatly affecting the normal running of the Internet. Avoiding or alleviating route hijacking and leaking has become one of the most urgent requirements of carriers and equipment vendors.

Regional validation is a solution that combines multiple trusted ASs into a region and multiple regions into a regional confederation. By checking whether the routes received from EBGP peers in external regions belong to the local region, regional validation prevents external regions from hijacking routes in the local region.

After the region-validation command is run to enable regional validation, the local device checks the routes received from EBGP peers based on the following rules:

• If the original AS in the AS_Path attribute of the route belongs to the local region, the route is originated from the local area. Then, the router checks whether the AS to which the EBGP peer belongs is in the local region. If yes, the regional validation succeeds. If not, it indicates that the route may be hijacked and the regional validation fails.
• If the original AS of the route in the AS-Path attribute does not belong to the local region but belongs to another region in the local regional confederation, it indicates that the route is originated from the local regional confederation. Then, the router checks whether the AS to which the EBGP peer belongs is in the local regional confederation. If the AS is in the local regional confederation, the regional validation succeeds. If not, it indicates that the route may be hijacked and the regional validation fails.
• If the original AS in the AS_Path of the route does not belong to the local region or other regions in the local regional confederation, regional validation is not performed. The regional validation result does not affect BGP route selection.
  You can run the region-validation confed-check strict command to configure strict regional validation. After receiving a route from an EBGP peer, the router checks the route according to the following rules:
• If the original AS in the AS_Path attribute of the route belongs to the local region, the route is originated from the local region. Then, the router checks whether the AS to which the EBGP peer belongs is in the local region. If yes, the regional validation succeeds. If not, it indicates that the route may be hijacked and the regional validation fails. - If the original AS of the route in the AS-Path attribute does not belong to the local region but belongs to another region in the local regional confederation, it indicates that the route is originated from the local regional confederation. In this case, the device checks whether the AS to which the EBGP peer belongs is in the region of the original AS. If yes, the regional validation succeeds. If not, it indicates that the route may be hijacked and the regional validation fails.
• If the original AS in the AS_Path of the route does not belong to the local region or other regions in the local regional confederation, regional validation is not performed.

Precautions

To enable regional confederation, you also need to add ASs to a region or add regions to a confederation. If no AS exists in a region, regional confederation does not take effect.