Alpha test of MAE filtering capability

Dennis Ferguson dennis at
Sat Feb 1 05:06:14 UTC 1997

>     Entirely agreed.  On the other hand I have what is turning out to be a
>     unique (here) point of view about this.  I don't want to prevent this
>     kind of theft -- I want to discover it, and remove perpetrators from any
>     IXP where they try it.  I don't want to block it.  I want to ensure that
>     it is never tried twice.  I appear to be in the minority wrt this view.
> This is a great idea. But do you have any idea how much expert engineer time
> is involved in tracking down theft of this sort? Most of our employers would
> much rather spend that resource on tackling the big problems.

Actually, I think the best way to do this would be to sample
source/destination address pairs from packets passing through all your
edge routers, and then to use a snapshot of the `normal' routing through
your network to reduce this to a matrix of traffic loads between all
entrance and exit points in your network.  The tool that was doing this
could then immediately detect unauthorized transit by looking for
significant traffic loads where neither end is rooted at one of your

The reason that one's employer might (and certainly should) be keen to
do this even at the expense of a substantial amount of high-priced talent
is that the ingress-egress traffic matrix you measure this way can also
be used to predict the effect of link metric changes on your link loads
before you make the changes, or to predict the load you'll see on new
circuits and the load relief on existing circuits before purchasing
and installing the new ones, and where to best place new circuits to
maximize their benefit, all things which the measurement of interface
loads alone can't help you with.  Hence the data you need to measure to
detect unauthorized use is also precisely the data you need to do traffic
engineering in a network of routers, both in the core of the network (if
you haven't installed an ATM/FR core in the center of the network to
measure this already) and to engineer interconnect traffic (which even
a switched core infrastructure doesn't help with).

I think the fact that one can't detect unauthorized transit currently is
hence very sad, less because I think unauthorized transit is serious (though
I do) than because the unavailability of this data also pretty much limits
one to doing traffic engineering by gut-instinct trial-and-error, with
increasing probability of getting it increasingly wrong as the topological
complexity of the network goes up (I know this from experience...).  There
is more than one reason to want to have very accurate knowledge of where
traffic in your network is coming from and going to, the need for edge
filtering in lieu of detection is a symptom of a more basic failure.

Dennis Ferguson

More information about the NANOG mailing list