filtering /48 is going to be necessary
Arturo Servin
arturo.servin at gmail.com
Sun Mar 11 19:30:54 UTC 2012
On 11 Mar 2012, at 09:48, Iljitsch van Beijnum <iljitsch at muada.com> wrote:
> On 9 Mar 2012, at 10:02 , Jeff Wheeler wrote:
>
>> The way we are headed right now, it is likely that the IPv6 address
>> space being issued today will look like "the swamp" in a few short
>> years, and we will regret repeating this obvious mistake.
>
>> We had this discussion on the list exactly a year ago. At that time,
>> the average IPv6 origin ASN was announcing 1.43 routes. That figure
>> today is 1.57 routes per origin ASN.
>
> The IETF and IRTF have looked at the routing scalability issue for a long time. The IETF came up with shim6, which allows multihoming without BGP. Unfortunately, ARIN started to allow IPv6 PI just in time so nobody bothered to adopt shim6. I haven't followed the IRTF RRG results for a while, but at some point LISP came out of this, where we basically tunnel the entire internet so the core routers don't have to see the real routing table.
>
> But back to the topic at hand: filtering long prefixes. There are two reasons you want to do this:
>
> 1. Attackers could flood BGP with bogus prefixes to make tables overflow
>
> 2. Legitimate prefixes may be deaggregated so tables overflow
>
> It won't be quick or easy, but the RPKI stuff should solve 1.
>
>
Unless the attacker uses the same origin AS that is in the ROA. Probably it won't hijack the traffic but it may create a DoS or any other kind of problem.
Regards,
as
More information about the NANOG
mailing list