North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Defeating DoS Attacks Through Accountability
On Sun, 12 November 2000, Daniel Senie wrote: > I'm not sure you're being clear. If someone has portable /24 or /16, and > does NOT do their own BGP, but contracts with ONE ISP to do that > advertisement. How do other ISPs know that ISP has permission? We could > point to the RADB, but it's chock full of bogus data. We could point to > ARIN, but their database just says the owner of the net in question is > whomever it is. Those who own that space have a legitimate right to use > that space, so telling them to get ISP-provided space is a non-starter. > > I agree it's a problem in need of a proper solution. The solution has to > account for portable address space not owned by providers. There are several steps involved. I am talking about the very first step. If someone has portable /24 or /16 space, there is a coordinator of record listed in ARIN's, RIPE's or APNIC's database. The first ISP to inject the address into BGP must have proper authorization from the coordinator of record. If we start out with garbage, the rest is irrelevant. We need to get the starting point fixed. The argument "they are paying us, so we do whatever they tell us" is bogus. After we have a good starting point, what do we do about the transitive validation, i.e. how do you know the entire AS path is valid? It should come as no surprise, I think ARIN is messed up. In addition to the coordinator of record and list of in-addr.arpa name servers, I think it should include a routing delegation. Either listing the ASN's directly with the delegation, such as RIPE, or providing a pointer to a third-party routing database of record for the IP address block. But the transitive steps are garbage if the starting point is garbage. As we've seen with the RADB, when anyone can put junk into the database, it gets full of junk. Sean Doran's 0/0 routes are the perfect example. If a complete answer is "hard," can we at least work on getting the first step correct?