ROVER routing security - its not enumeration
Christopher Morrow
morrowc.lists at gmail.com
Tue Jun 5 21:23:47 UTC 2012
On Tue, Jun 5, 2012 at 5:00 PM, Randy Bush <randy at psg.com> wrote:
>>>>> routing protection without enumeration.
>>>> I can see a use-case for something like:
>>>> "Build me a prefix list from the RIR data"
>>> this requires a full data fetch, not doable in dns.
>> does it? shane implied (and it doesn't seem UNREASONABLE, modulo some
>> 'doing lots of spare queries') to query for each filter entry at
>> filter creation time, no?
>
> what is the query set, every prefix /7-/24 for the whole fracking ABC
> space?
>
>> that could be optimized I bet, but it SEEMS doable, cumbersome, but
>> doable. the 'fail open' answer also seems a bit rough in this case
>> (but no worse than 'download irr, upload to router, win!' which is
>> today's model).
>
> irr, i do have the 'full' set. but you said RIR (the in-addr roots),
> not IRR. was it a mis-type?
oh hell :( yes, I meant IRR.
> and i am not gonna put my origin data in the irr and the dns.
yea... so today people already fill in:
RIR (swip/rwhois)
IRR (routing filter updates)
DNS (make sure your mailserver has PTRs!)
putting origin-validation data into IRR's happens today, it's not
'secured' in any fashion, and lots of proof has shown that 'people
fill it with junk' :( So being able to bounce the IRR data off some
verifiable source of truth seems like a plus. How verifiable is the
rdns-rover tree though? how do I get my start in that prefix hierarchy
anyway? by talking to IANA? to my local RIR? to 'jimbo the dns guy
down the street?' (I realize that referencing the draft would probably
get me this answer but it's too hard to look that up in webcrawler
that right now...)
-Chris
More information about the NANOG
mailing list