Securing the BGP or controlling it?

Nick Hilliard nick at foobar.org
Mon May 10 11:48:43 CDT 2010


On 10/05/2010 17:00, Aaron Glenn wrote:
> my gut says things would do well to begin with simply making an effort
> at maintaining usable irr data and automagically generating sane
> filters. why don't people do that again? I hope I'm not naively
> misunderstanding a primary use of irr data in front of 10,000 of my
> closest friends...

There are a lot of problems associated with using IRRDB filters for inbound
prefix filtering.

- some clients announce lots of prefixes.  This can make inbound prefix
filtering difficult in some situations.

pixiedust:/home/nick> grep '>' pakistani-telecom.bgpdump.txt | wc -l
     967

- there are some endemic data reliability problems with the IRRDBs,
exacerbated by the fact that on most of the widely-used IRRDBs, there is no
link between the RIR and the IRRDB, which means that anyone can register
any address space.  whois.ripe.net doesn't allow this, but lots of other
IRRDBs do.

- the ripe whois server software does not support server-side as-set
expansion.  This is a really serious problem if you're expanding large ASNs.

- there is very little client software.  At least irrtoolset compiles these
days, but its front-end is very primitive.  rpsltool provides some really
nice templating functionality, but doesn't implement large sections of the
rpsl standards.

Nick




More information about the NANOG mailing list