Securing the BGP or controlling it?

Nick Hilliard nick at foobar.org
Mon May 10 12:23:54 CDT 2010


On 10/05/2010 17:58, Jared Mauch wrote:
> On May 10, 2010, at 12:48 PM, Nick Hilliard wrote:
>> - there are some endemic data reliability problems with the IRRDBs,
>> exacerbated by the fact that on most of the widely-used IRRDBs, there is no
>> link between the RIR and the IRRDB, which means that anyone can register
>> any address space.  whois.ripe.net doesn't allow this, but lots of other
>> IRRDBs do.
> 
> Certainly this is a function that you can petition your local RIR to do,
> have you made a proposal to them?

RIPE does this automatically.  But I have no idea how this sort of thing
would be implemented between an RIR like ARIN and an IRRDB like whois.radb.net.

>> - the ripe whois server software does not support server-side as-set
>> expansion.  This is a really serious problem if you're expanding large ASNs.
> 
> Have you asked them to include this?

I've enquired informally and was left with the impression that it would be
difficult; the RIPE DB code is troublesome, and there are line protocol
differences between the ripe server and the merit server which would make
parsing an interesting proposition.

> I certainly agree the tools here are suboptimal, but is that the the
> reason to throw the baby out with the bathwater?

Not at all - I use prefix filtering in anger, and it works very well in its
place.

> Who is going to be the provider that turns away business because their
> customer is unwilling to register their routes in a klunky-toolset?

Lots.  They'll certainly take on the business, but I know of several
well-known names who provide service in Dublin and who won't accept your
prefixes unless they are registered in an IRRDB.

> What improvements to the toolset should go back to the community to
> improve filtering?

If you're offering to hack code, great - email me offline :-)

Nick




More information about the NANOG mailing list