|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Deciding whose network block is whose?
Geoff Huston <[email protected]> writes: > I am looking to the regional registeries to take some level of initiative > and provide clients of their address allocation service the ability to > sign the allocation and then the client can sign the routing request to the > provider which the provider can verify against the regional registry. > We went through this in discussion in the room at the time and it > looked like a viable and useful approach. Yes, but this is only part of the problem. I mean, fantastic idea, but then it's not exactly transitive. How do I know I can trust that Telstra's announcements have been authorized by the people responsible for the prefixes in question? Worse, since I do not talk directly with Telstra, how do I know I can trust the intermediary networks not to have performed (or fallen victim to) AS path surgery? Moreover, other than prefix-length filtering, what can I do to prevent falling victim to subnet-announcement attacks? Note that a larger CIDR block can still fall victim to announcements of /19s in networks which use The Satanic Filters. Perhaps you have some idea other than mine (prayer) for scalably solving these and similar issues? Sean.
|