Anyone notice strange announcements for 174.128.31.0/24
Jared Mauch
jared at puck.nether.net
Tue Jan 13 18:24:05 UTC 2009
On Tue, Jan 13, 2009 at 08:53:42AM -0800, David Barak wrote:
> --- On Tue, 1/13/09, Jared Mauch <jared at puck.nether.net> wrote:
> > Does that mean that I hijacked their identiy and forged
> > it? What level of trust do you place in the AS_PATH for your
> > routing, debugging and
> > decision making process?
>
> AS_PATH != identity, and I would not recommend loading the latter
> onto the former.
But it does represent an interesting thing. Many people treat
AS_PATH as identiy, when infact it's not congruent.
> > Personally, I would be upset if someone injected a route
> > with my ASN in the AS_PATH without my permission.
>
> Why? Is this a theoretical "because it's ugly" complaint, or is there a
> reason why manipulating this particular BGP attribute in this particular
> way is so bad? Organizations do filtering and routing manipulation all
> over the place. Is there something worse about doing it this way than others?
This is not "because it's ugly", but more complex to understand
the interaction.
People have asserted that injecting an as-path with 2914 will
utilize the loop-detection mechanisim to prevent reachability if your
transit is from 1239 or 174.
Except that 174 filters out these asns from their customers.
I've noticed zero complaints since my 'detecting routing leaks by
counting' system was presented at nanog that were not actual leaks when
too many SFI (tier-1?) asns showed up in a path.
While most of the challenge could be uneducated readers of an
as-path, without the protocol being changed, it really depends on the
elements in the path being genuine. Without this trust, we should all
configure our routers to allow our own as in, or work to make it the new
default, and ask providers to change their filtering of other SFI asns
from their customer as-paths.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list