North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Deciding whose network block is whose?

  • From: Sean M. Doran
  • Date: Tue Jan 06 14:24:22 1998

Geoff Huston <[email protected]> writes:

> I am looking to the regional registeries to take some level of initiative 
> and provide clients of their address allocation service the ability to 
> sign the allocation and then the client can sign the routing request to the
> provider which the provider can verify against the regional registry.
> We went through this in discussion in the room at the time and it
> looked like a viable and useful approach.

Yes, but this is only part of the problem.

I mean, fantastic idea, but then it's not exactly
transitive.  How do I know I can trust that Telstra's
announcements have been authorized by the people
responsible for the prefixes in question?  Worse, since I
do not talk directly with Telstra, how do I know I can
trust the intermediary networks not to have performed (or
fallen victim to) AS path surgery?

Moreover, other than prefix-length filtering, what can I
do to prevent falling victim to subnet-announcement
attacks?  Note that a larger CIDR block can still fall
victim to announcements of /19s in networks which use The
Satanic Filters.

Perhaps you have some idea other than mine (prayer) for
scalably solving these and similar issues?