69/8...this sucks
Stephen J. Wilcox
steve at telecomplete.co.uk
Tue Mar 11 10:56:36 UTC 2003
On Mon, 10 Mar 2003, Owen DeLong wrote:
> It seems to me that it would be relatively simple to solve this problem by
> doing the following:
>
> 1. ICANN (or an ICANN designee, such as ARIN) shall issue an ASN range
> of 20 ASNs to be used as BOGON-ORIGINATE.
Why not just one or private/reserved?
> 2. Each RIR should operate one or more routers with an open peering
> policy which will perform the following functions:
>
> A. Advertise all unissued space allocated to the RIR as
> originating from an ASN allocated to <RIR>-BOGON.
>
> B. Peer with the corresponding routers at each of the other
> RIRs and accept and readvertise their BOGON list through
> BGP.
>
> C. Provide a full BOGON feed to any router that chooses to
> peer, but not accept any routes or non-BGP traffic from
> those routers.
Of course, configure it wrong and you would end up sending all the junk that you
would have null routed to your RIR. Sounds messy.
Whats more I can see potential whenever we start creating these kind of self
propagating blackholes for hackers to introduce genuine address blocks to create
a DDoS.
>
>
> 3. Any provider which wishes to filter BOGONs could peer with the
> closest one or two of these and set up route maps that modify
> the next-hop for all BOGONs to be an address which is statically
> routed to NULL0 on each of their routers.
How many ebgp sessions do the RIRs need to maintain?? A lot.. and the
maintenance would be a nightmare. Dont think this will work purely because of
that overhead you create!!
Steve
> Apologies if this has been discussed before, but, it seems to me that this
> is the easiest way to make the data readily available to the community
> directly from the maintainers of the databases in a fashion which is
> automatically up to date.
There are other ways that dont use BGP peering to create lists that are more
suitable
Steve
More information about the NANOG
mailing list