mailing list archives
Re: do not filter your customers
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 24 Feb 2012 20:59:18 -0500
On Fri, Feb 24, 2012 at 8:24 PM, Jeffrey S. Young <young () jsyoung net> wrote:
1. Make your customers register routes, then filter them.
(may be time for big providers to put routing tools into
open source for the good of the community - make it
not a big provider, but ras () e-gerbil did release irr-tools no?
2. Implement the "1-hop" hack to protect your BGP peering.
98% of problem solved on the Internet today
which problem? GTSH only protects your actual bgp session, not the
content of the session(s) or the content across the larger network.
3. Implement a "# of routes-type" filter to make your peers
(and transit customers) phone you if they really do want
to add 500,000 routes to your session ( or the wrong set
of YouTube routes...).
max-prefix already exists... sometimes it works, sometimes it's a
burden. It doesnt' tell you anything about the content of the session
though (the YT routes example doesn't actually work that way)
99.9% of problem solved.
? not sure about that number
4. Implement BGP-Sec
99.91% of "this" problem solved.
Because #1 is 'just too hard' and because #4 is just too sexy
as an academic pursuit we all suffer the consequences. It's
there are folks working on the #4 problem, not academics even. It's
not been particularly sexy though :(
a shame that tier one peering agreements didn't evolve with
a 'filter your customers' clause (aka do the right thing) as well
as a 'like for like' (similar investments) clause in them.
I'm missing something here... it's not clear to me that 'tier1'
providers matter a whole lot in the discussion. Many of them have
spoken up saying: "Figuring out the downstream matrix in order to put
a prefix-list on my SFP peer is not trivial, and probably not workable
on gear today." (shane I think has even said this here...)
I'm not downplaying the BGP-SEC work, I think it's valid and
may one day save us from some smart bunny who wants to
make a name for himself by bringing the Internet to a halt. I
don't believe that's what we're battling here. We're battling the
operational cost of doing the right thing with the toolset we have
right, so today you have to do a lot of math/work to figure out if
your customer's prefixes are hers, and if they should be permitted
into your RIB. Tomorrow you COULD get a better end result with less
work and more assurance given a populated resource certification
Extending some into the land of BGPSEC you COULD also know that the
route you hear originated from the correct ASN and later you'd be able
to tell that path the route travel was the same as the ASPATH in the