North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Defeating DoS Attacks Through Accountability

  • From: Sean Donelan
  • Date: Sun Nov 12 20:40:53 2000

On Sun, 12 November 2000, Daniel Senie wrote:
> I'm not sure you're being clear. If someone has portable /24 or /16, and
> does NOT do their own BGP, but contracts with ONE ISP to do that
> advertisement. How do other ISPs know that ISP has permission? We could
> point to the RADB, but it's chock full of bogus data. We could point to
> ARIN, but their database just says the owner of the net in question is
> whomever it is. Those who own that space have a legitimate right to use
> that space, so telling them to get ISP-provided space is a non-starter.
> I agree it's a problem in need of a proper solution. The solution has to
> account for portable address space not owned by providers.

There are several steps involved.  I am talking about the very first

If someone has portable /24 or /16 space, there is a coordinator of
record listed in ARIN's, RIPE's or APNIC's database.  The first ISP
to inject the address into BGP must have proper authorization from
the coordinator of record.  If we start out with garbage, the rest is
irrelevant.  We need to get the starting point fixed.

The argument "they are paying us, so we do whatever they tell us" is

After we have a good starting point, what do we do about the transitive
validation, i.e. how do you know the entire AS path is valid?

It should come as no surprise, I think ARIN is messed up.  In addition
to the coordinator of record and list of name servers, I
think it should include a routing delegation.  Either listing the ASN's
directly with the delegation, such as RIPE, or providing a pointer to
a third-party routing database of record for the IP address block.

But the transitive steps are garbage if the starting point is garbage.
As we've seen with the RADB, when anyone can put junk into the database,
it gets full of junk.  Sean Doran's 0/0 routes are the perfect example.

If a complete answer is "hard," can we at least work on getting the
first step correct?