North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: In case anyone hadn't seen this

  • From: John W. Stewart III
  • Date: Fri Apr 25 15:40:28 1997

 > The solution to this problem is filtering, which has been known for 
 > a long time. 
 > 
 > The provoders that have been filtering on the customer edge seem to 
 > have done much better in terms of providing sanitized routes. I am
 > wondering how many such major outages need to occur in order to 
 > convince some providers to do customer filtering?

i'd argue that filtering is protection against misconfigurations.
in practice, the way that filtering is done, it does not protect
us from malice; hopefully such attacks would be short-lived
because the immediate provider(s) would cut the person off, but
even short problems on the scale we're talking about are serious.
fortunately most of the wide-scale attacks we've seen have not
been within the routing system itself (though some have pounded
its infrastructure .. e.g., the low UDP port number attack), but
there's always that possibility.  in order for filtering to
protect us from malicious attacks within the routing system we
need a lot more in the way of authentication for registries and
tools built on top of them

of course that means a lot of work, so people have to first
recognize how fragile some of this stuff is.  today's excitement
is a very good example of that fragility

to be clear, i am a fan of registries and filtering as they are
currently used .. there is no alternative other than chaos.  i
just think it's a mistake to think that filtering as we know it
now is equivalent to a necessarily robust routing system

/jws
- - - - - - - - - - - - - - - - -