algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters
maxtul at netassist.ua
Fri Feb 12 15:54:03 UTC 2016
well, not only as-set and route.
Assuming only legitimate owner of inetnum and aut-num have passwords for
mntner from that objects can modify their RIPE DB objects and can create
So to create a route object, you have to have access for inetnum and
aut-num objects (that can be different passwords and owners in general).
Then, you state in your aut-num import and export to some upstream. To
do that, you have to use your password, of course.
Then, your upstream modifying it's aut-num stating import your asn from
you and export your asn to it's upstream... and so on.
So it is possible to provide full chain of trust inside RIPE region that
As-sets is only the way to let manage a lot of downstreams' ASNs more easy.
Many of ISPs using it, there is some software like RETN made, to build
prefix list to your downstreams automatically. And it works.
There is three problems: first, it is only RIPE region specific. You
can't do that with ARIN nets for example. Second, it is RIPE-dependent.
So we depend on RIPE DB when do routing. In some cases it can make some
harm. Third, if someone steal or "recover" RIPE DB password from some
inetnum - he can easy do a hijack through system uses RIPE DB filtering.
On 04.02.16 13:14, Martin T wrote:
> am I correct that ISPs (in RIPE region), who update their BGP prefix
> filters automatically, ask their IP transit customer or peering
> partner to provide their "route"/"route6" object(s) or "as-set" object
> in order to find all the prefixes which they should accept? If the IP
> transit customer or peering partner provides an "as-set", then ISP
> needs to ensure that this "as-set" belongs to this IP transit customer
> or peering partner because there is no automatic authentication for
> this, i.e. anybody can create an "as-set" object to database with
> random "members" attributes? This is opposite to "route"/"route6"
> objects which follow a strict authentication scheme. In addition, in
> case of "as-set", an ISP needs to recursively find all the AS numbers
> from "members" attributes because "as-set" can include other
> "as-sets"? Quite a lot of question, but I would simply like to be sure
> that I understand this correctly.
More information about the NANOG