Suspecious anycast prefixes

David Miller dmiller at tiggee.com
Thu May 5 08:43:52 CDT 2011


On 5/5/2011 8:59 AM, Danny McPherson wrote:
> On May 3, 2011, at 6:17 AM, Bill Woodcock wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On May 2, 2011, at 12:35 PM, Joe Abley wrote:
>>> It's perhaps worth noting that there is work in the IETF to recommend that every prefix originated as part of an anycast cloud uses a unique origin AS (see<http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00>). I'm not personally convinced of the arguments in the draft, but mentioning it in this thread seems reasonable.
>> I'm also not convinced of the arguments in the draft, since it argues that it would be a best-practice
> 'A', not 'the', for the reasons conveyed in the draft (e.g., control
> plane discriminator, RPKI foundations, etc..).  If you don't like it,
> don't do it, it's certainly easier to not do it.
>
>> for me to originate my address space from more than 8,000 different ASNs,
> 8000 is a very large number.
>
>> when I currently do just fine advertising it from three.
> "You" as a service operator do just fine, and it's surely much
> simpler from a configuration and provisioning standpoint.  But
> what about those folks that consume the service, and have no
> indication of which node they may be utilizing from an Internet
> control plane perspective, or all the associated derivatives?

In a properly functioning system - folks that consume the service don't 
need to know which node they are utilizing.

Providing the capability for well behaved customers to select/prefer a 
particular node over another would also allow evildoers to select/prefer 
a particular node over others - thereby increasing the attack surface of 
this node, yes?

Not a fan.

>>   I'd much rather there not exist a document that clueless people can point at and claim is a "best common practice" when it's neither best nor common.
> 'clueless people' wouldn't care which node they utilize, where
> it resides, or what other attributes might exist and be associated
> with it.  Providing a discriminator in the control plane for the
> consumer of critical network services might well be of utility to
> some.
>
> -danny
>
>
>
>





More information about the NANOG mailing list