Home page logo
/

nanog logo nanog mailing list archives

Re: do not filter your customers
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 24 Feb 2012 20:59:18 -0500

On Fri, Feb 24, 2012 at 8:24 PM, Jeffrey S. Young <young () jsyoung net> wrote:
1.  Make your customers register routes, then filter them.
    (may be time for big providers to put routing tools into
    open source for the good of the community - make it
    less hard?)

not a big provider, but ras () e-gerbil did release irr-tools no?

2.  Implement the "1-hop" hack to protect your BGP peering.

98% of problem solved on the Internet today


which problem? GTSH only protects your actual bgp session, not the
content of the session(s) or the content across the larger network.

3.  Implement a "# of routes-type" filter to make your peers
    (and transit customers) phone you if they really do want
    to add 500,000 routes to your session ( or the wrong set
    of YouTube routes...).

max-prefix already exists... sometimes it works, sometimes it's a
burden. It doesnt' tell you anything about the content of the session
though (the YT routes example doesn't actually work that way)

99.9% of problem solved.

? not sure about that number

4.  Implement BGP-Sec

99.91% of "this" problem solved.

Because #1 is 'just too hard' and because #4 is just too sexy
as an academic pursuit we all suffer the consequences.  It's

there are folks working on the #4 problem, not academics even. It's
not been particularly sexy though :(

a shame that tier one peering agreements didn't evolve with
a 'filter your customers' clause (aka do the right thing) as well
as a 'like for like' (similar investments) clause in them.

I'm missing something here... it's not clear to me that 'tier1'
providers matter a whole lot in the discussion. Many of them have
spoken up saying: "Figuring out the downstream matrix in order to put
a prefix-list on my SFP peer is not trivial, and probably not workable
on gear today." (shane I think has even said this here...)

I'm not downplaying the BGP-SEC work, I think it's valid and
may one day save us from some smart bunny who wants to
make a name for himself by bringing the Internet to a halt.  I
don't believe that's what we're battling here.  We're battling the
operational cost of doing the right thing with the toolset we have

right, so today you have to do a lot of math/work to figure out if
your customer's prefixes are hers, and if they should be permitted
into your RIB. Tomorrow you COULD get a better end result with less
work and more assurance given a populated resource certification
system.

Extending some into the land of BGPSEC you COULD also know that the
route you hear originated from the correct ASN and later you'd be able
to tell that path the route travel was the same as the ASPATH in the
route...

-chris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]