Home page logo

nanog logo nanog mailing list archives

Re: So -- what did happen to Panix?
From: bmanning () vacation karoshi com
Date: Fri, 27 Jan 2006 12:51:40 +0000

On Fri, Jan 27, 2006 at 04:36:28AM -0800, Randy Bush wrote:

what I saw by going through the diffs, etc.. that I have
available to me is that the prefix was registered to be announced
by our customer and hence made it into our automatic IRR filters.

i.e., the 'error' was intended, and followed all process.

so, what i don't see is how any hacks on routing, such as delay,
history, ... will prevent this while not, at the same time, have
very undesired effects on those legitimately changing isps.

seems to me that certified validation of prefix ownership and as
path are the only real way out of these problems that does not
teach us the 42 reasons we use a *dynamic* protocol.

        perhaps you mean certified validation of prefix origin
        and path.  Ownership of any given prefix is a dicey concept
        at best.

        as a start, i'd want two things for authentication and integrity
        checks:  AS P asserts it is the origin of prefix R and prefix R
        asserts the true origin AS is P (or Q or some list).  Being able
        to check these assertions and being assured of the authenticity
        and integrity of the answers goes a long way, at least for me.

        path validation is something else and a worthwhile goal.

what am i missing here?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]