Home page logo
/

nanog logo nanog mailing list archives

Re: So -- what did happen to Panix?
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Fri, 27 Jan 2006 11:58:47 -0500


On Jan 27, 2006, at 11:39 AM, Joe Abley wrote:

On 27-Jan-2006, at 11:12, bmanning () vacation karoshi com wrote:

        but by definition, the right-most entry is the prefix origin...

Suppose AS 9327 decides to originate 198.32.6.0/24, but prepends 4555 to the AS_PATH as it does so. Suppose 9327's uses a transit provider which builds prefix filters from the IRR, and the "as9327" aut-num object is modified to include policy which suggests 9327 provides transit for 4555. Suppose this is not actually the case, though, and in fact 9327 is a rogue AS which is trying to capture 4555's traffic.

The rest of the world sees a prefix with an AS_PATH attribute which ends with "9327 4555".

In this case, from the point of view of those trying to discern legitimacy of advertisements, what is the origin of the prefix? Is it 4555, or 9327?

Is it possible to tell, from just the right-most entry in the AS_PATH attribute?

Suggested solutions do not have to solve every possible problem.

Knowing the "correct" origin will stop accidental announcements, like the one under discussion in this thread.

And, I suspect, most problems we see today of this sort. We are not (yet) to the point where maliciously originated prefixes are as big a problem as accidentally originated prefixes.

--
TTFN,
patrick


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault