Securing the BGP or controlling it?

Nick Hilliard nick at
Mon May 10 16:48:43 UTC 2010

On 10/05/2010 17:00, Aaron Glenn wrote:
> my gut says things would do well to begin with simply making an effort
> at maintaining usable irr data and automagically generating sane
> filters. why don't people do that again? I hope I'm not naively
> misunderstanding a primary use of irr data in front of 10,000 of my
> closest friends...

There are a lot of problems associated with using IRRDB filters for inbound
prefix filtering.

- some clients announce lots of prefixes.  This can make inbound prefix
filtering difficult in some situations.

pixiedust:/home/nick> grep '>' pakistani-telecom.bgpdump.txt | wc -l

- there are some endemic data reliability problems with the IRRDBs,
exacerbated by the fact that on most of the widely-used IRRDBs, there is no
link between the RIR and the IRRDB, which means that anyone can register
any address space. doesn't allow this, but lots of other
IRRDBs do.

- the ripe whois server software does not support server-side as-set
expansion.  This is a really serious problem if you're expanding large ASNs.

- there is very little client software.  At least irrtoolset compiles these
days, but its front-end is very primitive.  rpsltool provides some really
nice templating functionality, but doesn't implement large sections of the
rpsl standards.


More information about the NANOG mailing list