Pitfalls of _accepting_ /24s

Terry Baranski tbaranski at mail.com
Fri Oct 17 00:02:59 UTC 2003


jlewis wrote:
> On the topic of announcing PA /24's, what procedures do
> you take to make sure that a new customer who want's to 
> announce a few PA (P being one or more P's other than 
> yourself) IP space is legit and should be announcing 
> that IP space?  

I'm also interested in hearing current practices on this for PA space,
PI space, or whatever.  With UUNet and Qwest all I've had to do is make
a phone call.  I don't know whether or not whois was checked before the
changes were made.

I think this is important because what seems to be the current,
fairly-lax policies on this negates some of the benefit of edge
anti-spoof filtering.  If, for example, it's quick & easy to contact an
ISP posing as a customer (or maybe the customer is doing the evil deeds
themselves, so no posing is necessary) and get IP block X allowed
through the ISP's BGP/anti-spoof filters for that customer, what good
have the filters done?  If we want ISPs to put forth the effort to
deploy filters on all their edge links, it seems silly for it to be so
easy for one to socially engineer their spoofed packets right through
them.  

> Personally, I just check whois, and if it looks legit, 
> I'll listen to those routes and even create their route 
> objects as necessary, since some of our upstreams require 
> that.

If everyone checked whois it would at least put an end to the
unencouraging amount of unallocated prefixes one can find in the BGP
tables at any given time.  But it's also not difficult for someone with
bad intentions to find space that is allocated per whois but not
advertised by anyone.  So it seems like additional verification steps
may be needed if we're serious about wanting to put an end to spoofed
packets.

-Terry




More information about the NANOG mailing list