the problems being solved -- or not

Pete Templin petelists at templin.org
Tue May 24 13:47:13 UTC 2005 

Pekka Savola wrote:
> 
> On Mon, 23 May 2005, Tony Li wrote:
> 
>> Which is EXACTLY why we need to remember that we are NOT trying to come
>> up with the perfect solution.  We have operational issues *TODAY* that
>> we are trying to address.
>>
>> - We have people (admittedly accidentally) advertising prefixes that
>>  they do not own and thereby overloading BGP.  See the talk at the
>>  latest NANOG.
>>
>> - We have people intentionally out there forging /24's as an attack.
>>
>> - We have OTHER people out there flooding the networks with their /24's
>>  so that they are less vulnerable to attack by forged /24's, and
>>  thereby exacerbating the BGP overload problem.
> 
> 
> I think it's also worth considering where we expect this mechanism to be 
> deployed to be useful.
> 
> Let's take RIPE, RADB, etc. databases as an example.  Apparently we 
> can't count on the ISPs filtering out crap from their customers, because 
> otherwise we'd never have had these attack.  Also apparently, we can't 
> count on the transit ISPs from weeding out the cruft that their ISPs 
> spew in their direction and then to everyone else.

Two of Tony Li's points (accidentally advertising prefixes and forging 
prefixes as an attack) have nothing to do with ISPs filtering out crap 
from their customers.  The talk at NANOG demonstrated that peering ISPs 
were vulnerable to the cruft from the offending ISP, not (just) transit 
ISPs.

> So, what can you do?  Everyone must process their incoming full Internet 
> feed and filter out bogus advertisements.  Prefix lists based on RIPE, 
> RADB, etc. could block the more specific, but not an equal length prefix.

Prefix lists aren't the (whole) solution.  The solution must check the 
{prefix, origin AS} correlation, and may check a subset of {prefix, 
origin AS, AS path, peer AS policy, (intermediate AS policy(ies)}.

> So, I guess I must ask -- if prefix lists haven't been deployed, why 
> would this be?

Probably NVRAM constraints or ability to decipher the RIR tools to make 
a functional policy implementation.  But see above, as prefix lists 
would NOT have solved the AS9121 problem, as was pointed out.

pt

More information about the NANOG mailing list