North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: route ingress

  • From: Justin W. Newton
  • Date: Wed Dec 31 11:16:46 1997

At 04:13 PM 12/30/97 -0800, Vadim Antonov wrote:
>> filters are your friend.  filters are your friends' friend.
>Yes, but centralized database is not the answer.  For one, it
>is liable to be screwed up completely from time to time (that much,
>InterNIC experience shows us).  It is expensive to maintain; and
>the problem of accuracy of the information within is quite acute.
>The political implications of a cenrtalized agency are even worse;
>i do not think we want a replay of the domain name debate.
>The only real solution is strong cryptographical authentication of
>the ownership of routing prefixes.   For some reason i do not see
>any serious work in that direction being done.
>For now, it may be a good idea for tier-1 providers to adhere to a
>procedure similar to that used (or used to be used) by Sprint: no
>customer routing information is accepted before customer's border
>box configuration passed inspection by Sprint staff.  No-nos included
>unfiltered redistribution of IGP into BGP and lack of anti-transit AS-path

	Your policy above is unwise from the perspective that it seems to believe
that configuration errors are a one time problem.  A more reasonable policy
is to help your customers learn how to setup filters properly, and then
filter heavily on /your/ router to make certain hat no matter what they do
they can't effect either your internal, or external routing.

Justin W. Newton                        voice: +1-650-482-2840 	
Senior Network Architect                  fax: +1-650-482-2844
Legislative and Policy Director, ISP/C
"The People You Know.  The People You Trust."