|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: the problems being solved -- or not
Pekka Savola wrote: Two of Tony Li's points (accidentally advertising prefixes and forging prefixes as an attack) have nothing to do with ISPs filtering out crap from their customers. The talk at NANOG demonstrated that peering ISPs were vulnerable to the cruft from the offending ISP, not (just) transit ISPs.On Mon, 23 May 2005, Tony Li wrote:Which is EXACTLY why we need to remember that we are NOT trying to come up with the perfect solution. We have operational issues *TODAY* that we are trying to address. - We have people (admittedly accidentally) advertising prefixes that they do not own and thereby overloading BGP. See the talk at the latest NANOG. - We have people intentionally out there forging /24's as an attack. - We have OTHER people out there flooding the networks with their /24's so that they are less vulnerable to attack by forged /24's, and thereby exacerbating the BGP overload problem. So, what can you do? Everyone must process their incoming full Internet feed and filter out bogus advertisements. Prefix lists based on RIPE, RADB, etc. could block the more specific, but not an equal length prefix.Prefix lists aren't the (whole) solution. The solution must check the {prefix, origin AS} correlation, and may check a subset of {prefix, origin AS, AS path, peer AS policy, (intermediate AS policy(ies)}. So, I guess I must ask -- if prefix lists haven't been deployed, why would this be?Probably NVRAM constraints or ability to decipher the RIR tools to make a functional policy implementation. But see above, as prefix lists would NOT have solved the AS9121 problem, as was pointed out. pt
|