SYSTEM Cited by 1 source

Peerlock / Peerlock-lite

Peerlock and Peerlock-lite are operator-side BGP filter recipes that catch the most obvious route leaks by doing a cheap sanity check on received AS paths.

Peerlock

github.com/job/peerlock (Job Snijders) provides Junos / IOS-XR policy templates that implement the following rule, approximately:

"If I receive a route from a non-Tier-1 neighbor (i.e. a customer, a peer, or a route-server) whose AS path contains a known Tier-1 ASN, that is a leak — reject it."

The underlying observation: Tier-1 networks only peer with other Tier-1s (laterally) and serve everything else as customers. If a Tier-1 appears in an AS path received from a non-Tier-1, the path necessarily bounced through a non-Tier-1 — the hallmark of a leak.

Peerlock-lite

Peerlock-lite (NANOG) is the stripped-down cousin: a small set of AS-path regex filters that any operator can drop into their BGP policy without maintaining a full Tier-1 ASN list.

Why it's a stop-gap and not the end state

• Manual list maintenance: Peerlock depends on an operator-maintained list of Tier-1 ASNs. ASes can enter / leave the Tier-1 club; lists drift.
• Partial coverage: non-Tier-1 route leaks still slip through.
• Not cryptographic: no signed assertion; the filter is just an AS-path regex.

The end state is ASPA + RFC 9234 OTC, but ASPA needs global adoption and OTC needs vendor roadmap wins. Peerlock covers the near-term.

Seen in

• sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — Cloudflare: "we can all implement simpler mechanisms such as Peerlock and Peerlock-lite as operators, which sanity- checks received paths for obvious leaks." Canonical wiki instance.

Related

• concepts/bgp
• concepts/route-leak
• concepts/bgp-export-policy
• systems/aspa
• concepts/only-to-customer
• patterns/peerlock-sanity-check