Home page logo

nanog logo nanog mailing list archives

Re: using IRR tools for BGP route filtering
From: Danny McPherson <danny () tcb net>
Date: Wed, 21 Jun 2000 22:11:03 -0600

i emphatically DO NOT think that large providers should filter other
peers. i think the large providers should filter their own announcements,
by carefully verifying what a downstream wishes to announce before
accepting it, filtering the customer announcements, and aggregating their
announcements to peers. 

I believe Randy's point is that it'd be really nice to filter prefixes 
learned from peers, but even if the routing databases were up to date, 
reliable and useful, the routers can't perform the policy matches against
filters fast enough.  

And I agree completely.  The fact that pretty much any network with an
AS number could take any Internet subnet completely offline in a matter 
of -- what, ~8 minutes(?), intentionally or unintentionally, well, 
I think it's pretty amazing.  The only way a service provider can protect
their customers from this is by applying prefix-based filtering to all
their peers.

Of course, this requires valid, accessible, up to date IP registration
information.  It also routers that can store hundreds of thousands of 
lines of policies.  Then, the routers have to be able to perform matches
on the policies when processing updates.  All this is at the "control

Then, ideally, the routers would be able to utilize the same set of 
policies to perform packet filtering functions in the "data plane",
which is even more interesting.

These two components alone would make the overall Internet 
infrastructure far more reliable and secure than it is today,
no doubt.

i think its silly to try and regulate the world from ones own corner. 
regulate your corner, and encourage others to do the same. i don't care if
said encouragement is by tacit agreememnt, or bound up in legealese in
peering agreements.

I don't think it's silly at all to regulate the policies one employs in
in their network in order to increase overall destination availability 
to ones customers.  Policies of this nature only require support of the
network that implements them.  Other than requiring peers to keep registry 
information up to date, they impact the peer networks no way whatsoever.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]