route ingress

Wed Dec 31 00:22:54 UTC 1997

At 04:13 PM 12/30/97 -0800, Vadim Antonov wrote:
>> filters are your friend.  filters are your friends' friend.
>
>Yes, but centralized database is not the answer.  For one, it
>is liable to be screwed up completely from time to time (that much,
>InterNIC experience shows us).  It is expensive to maintain; and
>the problem of accuracy of the information within is quite acute.
>The political implications of a cenrtalized agency are even worse;
>i do not think we want a replay of the domain name debate.
>
>The only real solution is strong cryptographical authentication of
>the ownership of routing prefixes.   For some reason i do not see
>any serious work in that direction being done.
>
>For now, it may be a good idea for tier-1 providers to adhere to a
>procedure similar to that used (or used to be used) by Sprint: no
>customer routing information is accepted before customer's border
>box configuration passed inspection by Sprint staff.  No-nos included
>unfiltered redistribution of IGP into BGP and lack of anti-transit AS-path
>filters.

Vadim,
	Your policy above is unwise from the perspective that it seems to believe
that configuration errors are a one time problem.  A more reasonable policy
is to help your customers learn how to setup filters properly, and then
filter heavily on /your/ router to make certain hat no matter what they do
they can't effect either your internal, or external routing.

**************************************************************
Justin W. Newton                        voice: +1-650-482-2840 	
Senior Network Architect                  fax: +1-650-482-2844
PRIORI NETWORKS, INC.                    http://www.priori.net
Legislative and Policy Director, ISP/C   http://www.ispc.org
"The People You Know.  The People You Trust."
**************************************************************