ROVER routing security - its not enumeration

Randy Bush randy at psg.com
Tue Jun 5 21:00:49 UTC 2012


>>>> routing protection without enumeration.
>>> I can see a use-case for something like:
>>>   "Build me a prefix list from the RIR data"
>> this requires a full data fetch, not doable in dns.
> does it? shane implied (and it doesn't seem UNREASONABLE, modulo some
> 'doing lots of spare queries') to query for each filter entry at
> filter creation time, no?

what is the query set, every prefix /7-/24 for the whole fracking ABC
space?

> that could be optimized I bet, but it SEEMS doable, cumbersome, but
> doable.  the 'fail open' answer also seems a bit rough in this case
> (but no worse than 'download irr, upload to router, win!' which is
> today's model).

irr, i do have the 'full' set.  but you said RIR (the in-addr roots),
not IRR.  was it a mis-type?

and i am not gonna put my origin data in the irr and the dns.

randy




More information about the NANOG mailing list