Deciding whose network block is whose?

• Previous message (by thread): Deciding whose network block is whose?
• Next message (by thread): Deciding whose network block is whose?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Geoff Huston <gih at telstra.net> writes:

> I am looking to the regional registeries to take some level of initiative 
> and provide clients of their address allocation service the ability to 
> sign the allocation and then the client can sign the routing request to the
> provider which the provider can verify against the regional registry.
> We went through this in discussion in the room at the time and it
> looked like a viable and useful approach.

Yes, but this is only part of the problem.

I mean, fantastic idea, but then it's not exactly
transitive.  How do I know I can trust that Telstra's
announcements have been authorized by the people
responsible for the prefixes in question?  Worse, since I
do not talk directly with Telstra, how do I know I can
trust the intermediary networks not to have performed (or
fallen victim to) AS path surgery?

Moreover, other than prefix-length filtering, what can I
do to prevent falling victim to subnet-announcement
attacks?  Note that a larger CIDR block can still fall
victim to announcements of /19s in networks which use The
Satanic Filters.

Perhaps you have some idea other than mine (prayer) for
scalably solving these and similar issues?

	Sean.

• Previous message (by thread): Deciding whose network block is whose?
• Next message (by thread): Deciding whose network block is whose?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]