Public shaming list for ISPs announcing other ISPs IP space bymistake
swmike at swm.pp.se
Fri Aug 15 02:01:27 CDT 2008
On Thu, 14 Aug 2008, Steven M. Bellovin wrote:
> Many of them -- most of them? -- do filter, to the extent that they can.
> However, they're in a poor position to do a complete job.
What I would like is to be able to filter prefixes on the basis of the
AS-path/prefix combination, and have this in a signed fashion.
So let's say an ISP has AS1 and their upstreams are AS2 and AS3. They have
They will then publish a routing policy that AS* (any AS) should only
accept 10.0.5.0/16 originated from AS1, and no more specifics, but AS2 and
AS3 should accept more specifics down to /24 (for granular traffic
control). For this to be secure, I guess the announcement needs some kind
of cryptographic verification, but I don't know much about that, but that
should be used as well, but even without it we stop the possibility of
human error announcing breakouts or that /16 by someone else.
Now, building existing prefix/AS-path lists based on the above information
isn't feasable. We have ~30k ASN live and 270k prefixes so the amount of
lines in a config is just unfeasable, which means we need some kind of new
strategy to handle all this policy information. I guess having some kind
of policy server which receives routes and then can tell routers to ignore
them if they don't adhere to policy might work if the routes seen which is
not according to policy are few, but if they become many then we run into
the same scaling problem again.
So perhaps this problem can't be solved by anything existing, but instead
we need new functionality in our routers to handle this problem? So time
to market on this is in the years, but if we don't start work on it it'll
never get done.
But I do feel that any long-term solution needs to be distributed and
implemented on a per ASN basis, where participating ASNs doesn't have to
be directly connected to each other...
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the NANOG