North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: using IRR tools for BGP route filtering

  • From: Jessica Yu
  • Date: Thu Jun 22 14:39:44 2000

If every ISP does prefix based filtering on its
downstream customers, the integrity of the Internet
routing system will be improved a lot. The document
below proposes such a model:

--- Danny McPherson <[email protected]> wrote:
> > i emphatically DO NOT think that large providers
> should filter other
> > peers. i think the large providers should filter
> their own announcements,
> > by carefully verifying what a downstream wishes to
> announce before
> > accepting it, filtering the customer
> announcements, and aggregating their
> > announcements to peers. 
> I believe Randy's point is that it'd be really nice
> to filter prefixes 
> learned from peers, but even if the routing
> databases were up to date, 
> reliable and useful, the routers can't perform the
> policy matches against
> filters fast enough.  
> And I agree completely.  The fact that pretty much
> any network with an
> AS number could take any Internet subnet completely
> offline in a matter 
> of -- what, ~8 minutes(?), intentionally or
> unintentionally, well, 
> I think it's pretty amazing.  The only way a service
> provider can protect
> their customers from this is by applying
> prefix-based filtering to all
> their peers.
> Of course, this requires valid, accessible, up to
> date IP registration
> information.  It also routers that can store
> hundreds of thousands of 
> lines of policies.  Then, the routers have to be
> able to perform matches
> on the policies when processing updates.  All this
> is at the "control
> plane".
> Then, ideally, the routers would be able to utilize
> the same set of 
> policies to perform packet filtering functions in
> the "data plane",
> which is even more interesting.
> These two components alone would make the overall
> Internet 
> infrastructure far more reliable and secure than it
> is today,
> no doubt.
> > i think its silly to try and regulate the world
> from ones own corner. 
> > regulate your corner, and encourage others to do
> the same. i don't care if
> > said encouragement is by tacit agreememnt, or
> bound up in legealese in
> > peering agreements.
> I don't think it's silly at all to regulate the
> policies one employs in
> in their network in order to increase overall
> destination availability 
> to ones customers.  Policies of this nature only
> require support of the
> network that implements them.  Other than requiring
> peers to keep registry 
> information up to date, they impact the peer
> networks no way whatsoever.
> -danny

Do You Yahoo!?
Send instant messages with Yahoo! Messenger.