Public shaming list for ISPs announcing other ISPs IP space bymistake

Fri Aug 15 07:01:27 UTC 2008

On Thu, 14 Aug 2008, Steven M. Bellovin wrote:

> Many of them -- most of them? -- do filter, to the extent that they can. 
> However, they're in a poor position to do a complete job.

What I would like is to be able to filter prefixes on the basis of the 
AS-path/prefix combination, and have this in a signed fashion.

So let's say an ISP has AS1 and their upstreams are AS2 and AS3. They have 
10.0.5.0/16.

They will then publish a routing policy that AS* (any AS) should only 
accept 10.0.5.0/16 originated from AS1, and no more specifics, but AS2 and 
AS3 should accept more specifics down to /24 (for granular traffic 
control). For this to be secure, I guess the announcement needs some kind 
of cryptographic verification, but I don't know much about that, but that 
should be used as well, but even without it we stop the possibility of 
human error announcing breakouts or that /16 by someone else.

Now, building existing prefix/AS-path lists based on the above information 
isn't feasable. We have ~30k ASN live and 270k prefixes so the amount of 
lines in a config is just unfeasable, which means we need some kind of new 
strategy to handle all this policy information. I guess having some kind 
of policy server which receives routes and then can tell routers to ignore 
them if they don't adhere to policy might work if the routes seen which is 
not according to policy are few, but if they become many then we run into 
the same scaling problem again.

So perhaps this problem can't be solved by anything existing, but instead 
we need new functionality in our routers to handle this problem? So time 
to market on this is in the years, but if we don't start work on it it'll 
never get done.

But I do feel that any long-term solution needs to be distributed and 
implemented on a per ASN basis, where participating ASNs doesn't have to 
be directly connected to each other...

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se