route ingress

Tue Dec 30 19:39:54 UTC 1997

i've been tracking some spammers through unallocated address space of late.
i'm about to have to turn on extreme-level debugging in my bgp speaker, since
what's been happening is that a route is injected "somewhere" to unallocated
space, a whole boatload of relayspam is unloaded in a matter of minutes, and
the unallocated-space route is withdrawn.

so i read with some interest the recent nanog discussions about how folks knew
that a given customer really was the owner of some prefix they wanted to use.
while i heard some good answers from some well known parties, the silence from
the ramparts was deafening.

a lot of younger ISP's inject their IGP into their EGP.  we hear about this
when autoaggregation fails, but we don't hear about it when routing table
bloat doesn't cause us to focus our attention on it.

older ISP's all or mostly all know that everything they inject into their EGP
should be a nailed up static, and that the multihomed exceptions are few 
enough to treat as one-off's.

however, when you set up BGP peerage with somebody, you're at the mercy of
whatever level of selectivity they use in their injections.  that is, most
folks do not use RPSL or the PRDB or whatever to control what they'll listen
to from a BGP peer.  the assumption of trust and competence still runs high
among people who speak BGP to each other.

so the question that's got me perturbed at the moment is, if a spammer wanted
to spam from unallocated address space using five minute windows, would YOUR
routing core allow it?  subquestion 1: if the spammer is your customer.  
subquestion 2: if the spammer is a customer of one of your BGP peers.
subquestion 3: if the spamemr is a customer of a distant BGP-connected AS.

i've sent reply-to to myself.  i will summarize responses back to the list.