ROVER routing security - its not enumeration
Christopher Morrow
morrowc.lists at gmail.com
Tue Jun 5 19:44:21 UTC 2012
On Tue, Jun 5, 2012 at 3:40 PM, Randy Bush <randy at psg.com> wrote:
>>> There are number of operational models that provide the needed
>>> routing protection without enumeration.
>> I can see a use-case for something like:
>> "Build me a prefix list from the RIR data"
>
> this requires a full data fetch, not doable in dns.
does it? shane implied (and it doesn't seem UNREASONABLE, modulo some
'doing lots of spare queries') to query for each filter entry at
filter creation time, no?
get-as-GOOGLE = 216.239.32.0/19
lookup-in-dns = <rover-query-for-/19> + <rover-query-for-/20> +
<rover-query-for-/21>.....
that could be optimized I bet, but it SEEMS doable, cumbersome, but
doable. the 'fail open' answer also seems a bit rough in this case
(but no worse than 'download irr, upload to router, win!' which is
today's model).
-chris
More information about the NANOG
mailing list