Re: Autonomous System Sanity Protocol

Noel Chiappa <> Sat, 26 April 1997 09:51 UTC

Received: from by id aa15733; 26 Apr 97 5:51 EDT
Received: from cnri by id aa15492; 26 Apr 97 5:47 EDT
Received: from by CNRI.Reston.VA.US id aa05690; 26 Apr 97 5:47 EDT
Received: by id AA19156; Sat, 26 Apr 97 05:44:04 -0400
Date: Sat, 26 Apr 97 05:44:04 -0400
From: Noel Chiappa <>
Message-Id: <>
To:, ietf@CNRI.Reston.VA.US
Subject: Re: Autonomous System Sanity Protocol
Source-Info: From (or Sender) name not authenticated.

    From: Tony Li <>

    > We need to move to a routing architecture where maps are distributed,
    > *not* routing tables.

    Exactly how does this prevent the exchange of bad information?

Well, a full-scale explanation is a major tome (we can explore that on Big-I
in more detail if you want), but *briefly*, the idea is that you can i) prevent
lots of kinds of bad information, and ii) deal much better with the kinds you
can't stop.

For instance, use of public key cryptography can prevent anyone else from
originating bad information about connectivity inside or to X - their map
updates will not be correctly signed with X's private key. Only "auhorized"
agents of topological entity X (i.e. those allowed to distribute maps or
abstractions of X, outside X) have the key to sign map data about X.

(X and Y can still cooperate to lie about having connectivity between them,
when in fact they do not, but you can (albeit with some work) detect that and
work around it, if you have not only a map distribution system, but explicit
routing too.)

It can certainly prevent all unilateral bad information, i.e. based on someone
incorrectly configuring their routers (or software/hardware bugs).