ROVER routing security - its not enumeration
Randy Bush
randy at psg.com
Tue Jun 5 21:00:49 UTC 2012
>>>> routing protection without enumeration.
>>> I can see a use-case for something like:
>>> "Build me a prefix list from the RIR data"
>> this requires a full data fetch, not doable in dns.
> does it? shane implied (and it doesn't seem UNREASONABLE, modulo some
> 'doing lots of spare queries') to query for each filter entry at
> filter creation time, no?
what is the query set, every prefix /7-/24 for the whole fracking ABC
space?
> that could be optimized I bet, but it SEEMS doable, cumbersome, but
> doable. the 'fail open' answer also seems a bit rough in this case
> (but no worse than 'download irr, upload to router, win!' which is
> today's model).
irr, i do have the 'full' set. but you said RIR (the in-addr roots),
not IRR. was it a mis-type?
and i am not gonna put my origin data in the irr and the dns.
randy
More information about the NANOG
mailing list