Deciding whose network block is whose?
Sean M. Doran
smd at clock.org
Tue Jan 6 19:13:47 UTC 1998
Geoff Huston <gih at telstra.net> writes:
> I am looking to the regional registeries to take some level of initiative
> and provide clients of their address allocation service the ability to
> sign the allocation and then the client can sign the routing request to the
> provider which the provider can verify against the regional registry.
> We went through this in discussion in the room at the time and it
> looked like a viable and useful approach.
Yes, but this is only part of the problem.
I mean, fantastic idea, but then it's not exactly
transitive. How do I know I can trust that Telstra's
announcements have been authorized by the people
responsible for the prefixes in question? Worse, since I
do not talk directly with Telstra, how do I know I can
trust the intermediary networks not to have performed (or
fallen victim to) AS path surgery?
Moreover, other than prefix-length filtering, what can I
do to prevent falling victim to subnet-announcement
attacks? Note that a larger CIDR block can still fall
victim to announcements of /19s in networks which use The
Perhaps you have some idea other than mine (prayer) for
scalably solving these and similar issues?
More information about the NANOG