|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: using IRR tools for BGP route filtering
If every ISP does prefix based filtering on its downstream customers, the integrity of the Internet routing system will be improved a lot. The document below proposes such a model: http://www.iops.org/Documents/routing.html --Jessica --- Danny McPherson <[email protected]> wrote: > > > > i emphatically DO NOT think that large providers > should filter other > > peers. i think the large providers should filter > their own announcements, > > by carefully verifying what a downstream wishes to > announce before > > accepting it, filtering the customer > announcements, and aggregating their > > announcements to peers. > > I believe Randy's point is that it'd be really nice > to filter prefixes > learned from peers, but even if the routing > databases were up to date, > reliable and useful, the routers can't perform the > policy matches against > filters fast enough. > > And I agree completely. The fact that pretty much > any network with an > AS number could take any Internet subnet completely > offline in a matter > of -- what, ~8 minutes(?), intentionally or > unintentionally, well, > I think it's pretty amazing. The only way a service > provider can protect > their customers from this is by applying > prefix-based filtering to all > their peers. > > > Of course, this requires valid, accessible, up to > date IP registration > information. It also routers that can store > hundreds of thousands of > lines of policies. Then, the routers have to be > able to perform matches > on the policies when processing updates. All this > is at the "control > plane". > > Then, ideally, the routers would be able to utilize > the same set of > policies to perform packet filtering functions in > the "data plane", > which is even more interesting. > > These two components alone would make the overall > Internet > infrastructure far more reliable and secure than it > is today, > no doubt. > > > i think its silly to try and regulate the world > from ones own corner. > > regulate your corner, and encourage others to do > the same. i don't care if > > said encouragement is by tacit agreememnt, or > bound up in legealese in > > peering agreements. > > I don't think it's silly at all to regulate the > policies one employs in > in their network in order to increase overall > destination availability > to ones customers. Policies of this nature only > require support of the > network that implements them. Other than requiring > peers to keep registry > information up to date, they impact the peer > networks no way whatsoever. > > -danny > > > __________________________________________________ Do You Yahoo!? Send instant messages with Yahoo! Messenger. http://im.yahoo.com/
|