Level 3's IRR Database
morrowc.lists at gmail.com
Mon Jan 31 16:01:26 CST 2011
On Mon, Jan 31, 2011 at 3:55 PM, Andree Toonk <andree+nanog at toonk.nl> wrote:
> .-- My secret spy satellite informs me that at 11-01-31 12:11 PM Christopher
> Morrow wrote:
>> yes, but what is the way forward?
> Not sure, that was my original question:
> Are there any suggestions or recommendations for how to handle these cases?
So... I think we should keep in mind that rPKI provides some
in-protocol (and on-router) certificate checking bits (this is over
simplified, on purpose). Those things allow you to validate routing
data as you see it on the device, and take some policy steps to react
to that decision.
The other thing that rPKI gets us to is the ability to create and
maintain prefix-list (or equivalent) data for routers in an
automatedand verifiable manner. You could validate the prefixes your
customers/peers claim to have with some cryptographic assurance...
that data is tied to the allocation hierarchy, and it's kept updated
by the allocation chain (IANA->RIR->NIR->LIR->EndUser).
So, maybe the answer is folks will be able to
better/quicker/more-accurately maintain bgp filters and drop this sort
of problem in Adj-Rib-In ?
More information about the NANOG