soBGP deployment
Daniel Golding
dgolding at burtongroup.com
Mon May 23 18:00:12 UTC 2005
I suspect the right thing to do is to ask why soBGP and sBGP have failed?
And yes, they've failed. Just like DNSSec, we aren't seeing even limited
adoption. Why? Too complex, too many moving parts, too much reliance on iffy
third parties and requires mass adoption.
I suggest that the community finds something that gives us most of what we
want, is simple to understand, and can be implemented in a piece-wise
fashion. Look at SPF - not perfect, but certainly useful. It is simple, easy
to implement, and IS being implemented.
One of the Internetworking community's biggest problems is a fixation on the
perfect solution. Its natural - we're engineers, after all. We want an
elegant 100% solution to our ills. This often leads to something that never
gets implemented in real life.
Why not do something simple? The in-addr.arpa reverse delegation tree is
pretty accurate. We use it for lots of different things. Why not just give
IP address blocks a new RR (or use a TXT record) to identify ASN? This
solves the biggest problem we have right now, which is stealing of address
blocks. It requires little processor overhead, and only a few additional DNS
lookups. Its reasonably foolproof.
Why create reliance on more databases? The RIRs are iffy. We rely on DNS
right now. Why not keep relying on it? This solution doesn't solve all of
our problems, but it does help, its easy, and people will implement it.
Ok, please start flaming now :)
- Dan
On 5/23/05 1:45 PM, "bmanning at vacation.karoshi.com"
<bmanning at vacation.karoshi.com> wrote:
>
>
> for the old-timers.... this is not quite sBGP or soBGP, but does
> have many of the desirable traits.... for the new kids on the block,
> if ISPs want to do this, its something they can do themselves, w/o
> centralized coordination, on an incremental basis.
>
> http://www.isoc.org/inet98/proceedings/6h/6h_3.htm
>
> --bill
More information about the NANOG
mailing list