ANS to CIX Interconnection

R. Eric Bennett reb
Fri Oct 2 02:29:03 UTC 1992

--> From:  "Milo S. Medin" (NASA ARC NSI Office) <medin at>

  > Mark, the main problem for us is if you don't filter out the 97 some odd
  > nets out of the AS 1957 routes you send us.  If you are willing to do
  > that, then we still don't have any new administrative load, and from NSI's
  > point of view, we're happy.  Did I read your statement right?  If so, we'd
  > definitely like to take you up on this offer!

If you don't want to hear about the ~97 nets AND you don't do default routing
then you are fine.  In other words, you read Mark correctly and are fine.
This situation is not a problem UNLESS you point default.
  > You say: "For regionals using default, it isn't possible to prevent traffic
  > from being sent from the regional to the CIX."

Pointing default is, in a sense, like stating that you trust the network to
which you default (and all of its peers) with your packets.  You have given up
your only means of controlling your traffic.

I've even heard someone state that "pointing default is a kludge."  If not a
kludge, it is certainly a substitute for horsepower (which may be a financial
even technical consideration) that affords no mechanism to enforce one's own
policy.  You can then ask someone else to enforce your policy for you but if
they say they can't...

  > This is true, given a certain
  > set of assumptions, such as that the ENSS and CNSS's having the same set of
  > routes.  If the ENSS did not install the 97 nets etc, in it's routing
  > table, then since it didn't have default, it would generate net unreachable
  > messages and the traffic wouldn't flow.  Given that I thought this kind of
  > thing was possible given your implementation and use of IBGP and such,
  > then this shouldn't be that hard.  Again, please correct me if I'm offbase
  > here.

You're both correct and offbase.

It is true that IF the ENSSes did not install the routes you would have solved
the problem FOR EVERYONE USING THE ENSS (all of whom may not have the same
policy restrictions).

It is not true that "given your implementation and use of IBGP and such" ANS
can do this.  As I understand it, intra-domain protocols (IBGP, IIDRP) have as
a design basis the assumption that all internal neighbors have full disclosure
of routing information between themsleves.  Regardless, the implementation that
ANS uses does not support this feature.

One option (as Vince Fuller pointed out while I typed this) is to do IBGP with
CNSSes and have each ENSS peer with both the regional and the CNSS IBGP mesh.
This is effective but ugly.  Besides slowing the propagation of routes within
the backbone, it adds 2 ASes to the AS path, uses up AS numbers like they are
going out of style, and accomplishes nothing more than a regional could if it
had the horsepower to enforce its own policy restrictions.

  > You certainly could argue that this sort of thing is necessary for ANS
  > to serve it's member network's needs for CO+RE service.  The real question
  > is whether or not it is possible to do this and not increase the administra
  >  tive
  > load of non-participating regionals under your NSFNET agreement.  The key
  > to resolving the latter question is how much flexibility you guys have 
  > with the import and export of routing information into the routing tables
  > of the ENSS's, and to be honest, I have only peripheral knowledge of the 
  > current way routes are sent around inside the T3 system (not because you
  > guys are being secretive, just that I haven't been following this very
  > closely due to work load problems).  

Yes, one could argue that but as I stated it is not possible to do this without
kludges and even with such kludges, it would still be effective only
on an ENSS (router) basis and not on an AS basis.
I believe, as Mark said, that currently the architecturally clean thing to do
is to try to get each AS to control their own policy, hopefully in a spirit of
cooperation and disclosure with its peers.  That way the backbone can forward
packets as effectively as possible, stopping only to do minimal verification of
ownership of networks and regionals can make/implement decisions whenever they
choose without a backbone provider serving as middleman.

  > Thanks,
  > Milo

I guess I see this as a step in the right direction.  But then I dream of an
AUP-less world full of white picket fences...

I wear only my own hats and I route my opinions under the same policy,

More information about the NANOG mailing list