Great Suggestion for the DNS problem...?
swmike at swm.pp.se
Fri Aug 29 01:46:28 CDT 2008
On Thu, 28 Aug 2008, Brian Dickson wrote:
> However, if *AS-path* filtering is done based on IRR data, specifically
> on the as-sets of customers and customers' customers etc., then the
> attack *can* be prevented.
Yes, but I can't do this for everybody else. Doing AS-path and prefix
filtering (matching that a certain prefix can only be announced by a
certain AS) doesn't scale in IOS for instance.
We do prefix filtering for OUR customers, but there is no feasable way for
me to do this for everybody else. I think this needs to be fixed, but it
involves something new that isn't present today, and I think it needs to
involve vendors because they need to produce new code to handle it.
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the NANOG