do not filter your customers

Leo Bicknell bicknell at
Fri Feb 24 20:59:50 UTC 2012

In a message written on Fri, Feb 24, 2012 at 01:04:20PM -0700, Shane Amante wrote:
> Solving for route leaks is /the/ "killer app" for BGPSEC.  I can't understand why people keep ignoring this.

Not all "leaks" are bad.

I remember when there was that undersea landside in Asia that took
out a bunch of undersea cables.  Various providers quickly did
mutual transit and other arrangements to route around the problem,
getting a number of things back up quite quickly.  These did not
match IRR records though, and likely would not have matached BGPSEC
information, at least not initially.

There are plenty of cases where someone "leaks" more specifics with
NO_EXPORT to only one of their BGP peers for the purposes of TE.

The challenge of securing BGP isn't crypto, and it isn't enough
ram/cpu/whatever to process it.  The challenge is getting a crypto
scheme that operators can use to easily represent the real world.
It turns out the real world is quite messy though, often full of
temporary hacks, unusual relationships and other issues.

I'm sure it will be solved, one day.

       Leo Bicknell - bicknell at - CCIE 3440
        PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list