Public shaming list for ISPs announcing other ISPs IP space by mistake
jared at puck.nether.net
Thu Aug 14 14:09:18 CDT 2008
On Thu, Aug 14, 2008 at 11:32:28AM -0700, brett watson wrote:
> On Aug 14, 2008, at 11:21 AM, David Freedman wrote:
>>> but, why wouldn't something like formally requiring
>>> customers/peers/transits/etc to have radb objects as a 'requirement'
>>> for peering/customer bgp services
>> Step 1 : Enforce IRR for customers *now*.
> Right, but I think the bigger issue is not just that "data is in the
> IRR" but rather "the data is there, and "some organization" has
> validated that 1) the "owner" is authentic, 2) they own the prefixes
> they entered, 3) they are authorized to originate the prefixes, and 4)
> the policies they entered are valid and agreed to by the other parties."
> We have to be able to *trust* the data in the IRR, which I assume is one
> of the biggest impediments to being used by everyone: who's going to
> validate all that data and how will they do it?
You're missing a step:
No really, the reason for some leaks isn't because so-and-so was
never a customer, they were. 5 years ago. nobody removed the routes from
the IRR or AS-SET or <insert method here> and now the route is learned via
some other location and it's bypassed your perimiter security and
infiltrated your BGP.
There's many simple things that makes it seem like it's
an impossible task, but there's a saying, if you're not progressing
you're regressing. If the toolset is too complex or doesn't work,
what are YOU doing to make it better for you and/or your customers?
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG