North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
BGP prefix filtering, how exactly? [Re: YouTube IP Hijacking]
Changed the subject line a little...
On Mon, 25 Feb 2008, Hank Nussbacher wrote:
At 03:14 AM 25-02-08 -0500, Paul Wall wrote:Results were planned to be presented at the next NANOG, but they shouldn't be a surprise to anyone in the industry: nobody filters.
In a lot of this dialogue, many say, "you should prefix filter". However, I'm not seeing how an ISP could easily adopt such filtering.
Let's consider the options:
1) manually maintained prefix-filters. OK for small ISPs or small users where the prefix churn is minimal.
2) build the filters based on IRR data. But which IRRs to use? some points here:
a) only RIPE IRR uses a sensible security model , so if you use others, basically anyone can add route objects to the registry. How exactly would this model be useful?
b) use your own IRR where you require your customers to add the route objects and verify that they're OK. This means a lot of work for you and even more for your customers.
So, this is no excuse for not doing prefix filtering if you only do business in the RIPE region, but anywhere else the IRR data is pretty much useless, incorrect, or both.
(Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix filtered, based on RIPE IRR data (with one exception). IPv4 peers' advertisements seem to be too big a mess, and too long filters, to fix this way.)
 Joe Abley's explanation on SIDR list on 20 Jun 2007: http://www.ietf.org/mail-archive/web/sidr/current/msg00201.html
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings