Home page logo

nanog logo nanog mailing list archives

Re: using IRR tools for BGP route filtering
From: Jessica Yu <jyy_99 () yahoo com>
Date: Thu, 22 Jun 2000 11:33:19 -0700 (PDT)

If every ISP does prefix based filtering on its
downstream customers, the integrity of the Internet
routing system will be improved a lot. The document
below proposes such a model:


--- Danny McPherson <danny () tcb net> wrote:

i emphatically DO NOT think that large providers
should filter other
peers. i think the large providers should filter
their own announcements,
by carefully verifying what a downstream wishes to
announce before
accepting it, filtering the customer
announcements, and aggregating their
announcements to peers. 

I believe Randy's point is that it'd be really nice
to filter prefixes 
learned from peers, but even if the routing
databases were up to date, 
reliable and useful, the routers can't perform the
policy matches against
filters fast enough.  

And I agree completely.  The fact that pretty much
any network with an
AS number could take any Internet subnet completely
offline in a matter 
of -- what, ~8 minutes(?), intentionally or
unintentionally, well, 
I think it's pretty amazing.  The only way a service
provider can protect
their customers from this is by applying
prefix-based filtering to all
their peers.

Of course, this requires valid, accessible, up to
date IP registration
information.  It also routers that can store
hundreds of thousands of 
lines of policies.  Then, the routers have to be
able to perform matches
on the policies when processing updates.  All this
is at the "control

Then, ideally, the routers would be able to utilize
the same set of 
policies to perform packet filtering functions in
the "data plane",
which is even more interesting.

These two components alone would make the overall
infrastructure far more reliable and secure than it
is today,
no doubt.

i think its silly to try and regulate the world
from ones own corner. 
regulate your corner, and encourage others to do
the same. i don't care if
said encouragement is by tacit agreememnt, or
bound up in legealese in
peering agreements.

I don't think it's silly at all to regulate the
policies one employs in
in their network in order to increase overall
destination availability 
to ones customers.  Policies of this nature only
require support of the
network that implements them.  Other than requiring
peers to keep registry 
information up to date, they impact the peer
networks no way whatsoever.


Do You Yahoo!?
Send instant messages with Yahoo! Messenger.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]