Hijacked Network Ranges
Mark Tinka
mtinka at globaltransit.net
Mon Feb 6 07:59:29 UTC 2012
On Monday, February 06, 2012 03:06:24 PM Christopher Morrow
wrote:
> do you have customers with 10k long prefix lists? it gets
> hard when the lists get long, or the data is for
> downstream folks of your customer. Good that someone's
> checking though, I'd love to see this part automated.
No, we don't have customers with 10,000-long prefix lists,
but we have planned to implement automation (either using
the IRR Toolset or home-grown solutions) to make this
possible as a means to scaling, should that time arise.
As it is now, throwing NOC staff at the problem for the
volumes we have works well enough. But this is, by no means,
a panacea as we scale up.
Heck, one must even worry whether a some router
configurations can take that many lines. But there are other
ways around that.
> RPKI doesn't necessarily mean that the router knows
> anything about certificates in the short-term. I think
> there's a time when 'the resource certification system'
> (which is really, today, the rpki) holds cert/roa data
> that you could use to filter what the IRR tells you for
> a customer. You could even do this in any automated
> manner!
Well, given validation information will be available within
a network, one may use it in non-obvious ways to implement
policy.
> The time between the previous and next paragraphs though
> is when all isp's will need to beat the drums with their
> customers saying: "Hey, you REALLY need to get that shit
> into the 'resource certification system' (rpki), NOW."
> (because shortly we'll stop accepting your "invalid"
> routes... and then the interwebs won't be able to find
> you, and we'll all be sad.)
Well, we have all seen how doing this with DNSSEC, IPv6 and
4-byte ASN's worked out.
We need to understand that different operators and different
customers will have varying reasons as to why they can't yet
"do the right thing". There is abundant evidence of this
with other similar initiatives.
Adoption will have to be incremental. During that time, the
Internet must not break.
> sure... it's not working so well though :(
Not for lack of having some kind of solution.
What we have today may not be the best, most scalable
option, but it is one nonetheless. Automating it (like what
RPSL does) is how you can make it scale to some extent, but
it's still the same solution.
We can't just sit around waiting for RPKI. There will be
some reason why some of us can't deploy it, while someone
else is thinking up its successor. Rinse, repeat.
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120206/7de69fc1/attachment.sig>
More information about the NANOG
mailing list