filtering /48 is going to be necessary

• Previous message (by thread): filtering /48 is going to be necessary
• Next message (by thread): [NSG-d] Historian is trolling for memories about the early days of SF and ARPANet. Anybody?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11 Mar 2012, at 09:48, Iljitsch van Beijnum <iljitsch at muada.com> wrote:

> On 9 Mar 2012, at 10:02 , Jeff Wheeler wrote:
> 
>> The way we are headed right now, it is likely that the IPv6 address
>> space being issued today will look like "the swamp" in a few short
>> years, and we will regret repeating this obvious mistake.
> 
>> We had this discussion on the list exactly a year ago.  At that time,
>> the average IPv6 origin ASN was announcing 1.43 routes.  That figure
>> today is 1.57 routes per origin ASN.
> 
> The IETF and IRTF have looked at the routing scalability issue for a long time. The IETF came up with shim6, which allows multihoming without BGP. Unfortunately, ARIN started to allow IPv6 PI just in time so nobody bothered to adopt shim6. I haven't followed the IRTF RRG results for a while, but at some point LISP came out of this, where we basically tunnel the entire internet so the core routers don't have to see the real routing table.
> 
> But back to the topic at hand: filtering long prefixes. There are two reasons you want to do this:
> 
> 1. Attackers could flood BGP with bogus prefixes to make tables overflow
> 
> 2. Legitimate prefixes may be deaggregated so tables overflow
> 
> It won't be quick or easy, but the RPKI stuff should solve 1.
> 
> 

Unless the attacker uses the same origin AS that is in the ROA. Probably it won't hijack the traffic but it may create a DoS or any other kind of problem.

Regards,
as

• Previous message (by thread): filtering /48 is going to be necessary
• Next message (by thread): [NSG-d] Historian is trolling for memories about the early days of SF and ARPANet. Anybody?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]