|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Defeating DoS Attacks Through Accountability
On Sat, 11 November 2000, Mark Prior wrote: > As there is no real way to determine who is authorized to announce a > prefix we must rely on some measure of "reasonableness", ie does it > look likely that a customer should announce that prefix, and in the > case of BGP announced routes we would look in the routing table to see > if the route is already being announced. Just like credit card numbers, telephone numbers and so forth; every valid IP address used on the Internet does have a delegation of authority. Do we need IP escrow and title insurance companies whose business includes verifying the lineage of an IP address assignment. If you can't show you have clear authority to use an IP address, should you have liability for any and all damages caused by your improper announcement of that address? Perhaps after a few major providers faced huge lawsuits and liability they would clean things up. Would you build a store on property you weren't sure if you had clear title, but it looked empty so you moved in. Its an analogy, so it doesn't match exactly. So everyone doesn't know the exact method of verifying a credit card number or verifying a telephone number or verifying an ip address. If you don't know how to do it, perhaps you should hire a third-party to do it for you. If you can't properly delegate the IN-ADDR.ARPA reverse mapping, more than likely you shouldn't be announcing the IP address. If you can't properly register your contact information for the address, perhaps you shouldn't be announcing the IP address. Perhaps a lot of things. I know people haven't been very carefully in dotting all the i's and crossing all the t's in the past; so some of the records aren't in the best shape. But the current practice of announcing first, and only after you kill some innocent bystander's network, then fixing it; needs to stop. Every IP address should be traceable to an original recorded delegation. If the "paperwork" isn't complete or is inaccurate, we should work on fixing it. Sticking our heads in the sand, and announcing the network until someone complains is not good. I've seen too many networks knocked complete of the net for days. I thought after major networks like Sprint and AT&T had their services disrupted for hours something would get fixed. How can you run something, which some people have called vital to our national security, were virtually anyone half-a-world away can black-hole your routes. But after a couple of weeks everyone forgot why those networks went off-line. Yeah, I know they didn't have an "outage" you just couldn't use their networks for the day because of the problem. AT&T did publicly say what happened to their network, I've never seen a public statement from Sprint. Its easy to blame backhoes for Internet problems, because it is a third-party. But these routing errors are created by us. Yes we have met the enemy, and its us.
|