Re: Autonomous System Sanity Protocol

Tony Li <> Sat, 26 April 1997 18:07 UTC

Received: from cnri by id aa24906; 26 Apr 97 14:07 EDT
Received: from by CNRI.Reston.VA.US id aa12118; 26 Apr 97 14:06 EDT
Received: from mailing-list by (8.6.9/1.0) id EAA09675; Sun, 27 Apr 1997 04:00:03 +1000
Received: from munnari.OZ.AU by (8.6.9/1.0) with SMTP id DAA09623; Sun, 27 Apr 1997 03:43:04 +1000
Received: from by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id RA06694; Sun, 27 Apr 1997 03:43:01 +1000 (from
Received: from ( []) by (8.8.5/8.8.5) with ESMTP id KAA19026; Sat, 26 Apr 1997 10:42:49 -0700 (PDT)
Received: (from tli@localhost) by (8.7.6/8.7.3) id KAA29850; Sat, 26 Apr 1997 10:42:37 -0700 (PDT)
To: Noel Chiappa <>
Subject: Re: Autonomous System Sanity Protocol
References: <>
From: Tony Li <>
Date: 26 Apr 1997 10:42:37 -0700
In-Reply-To:'s message of 26 Apr 97 09:44:04 GMT
Message-Id: <>
Lines: 45
X-Mailer: Gnus v5.3/Emacs 19.34
Precedence: bulk (Noel Chiappa) writes:

>     > We need to move to a routing architecture where maps are distributed,
>     > *not* routing tables.
>     Exactly how does this prevent the exchange of bad information?
> Well, a full-scale explanation is a major tome (we can explore that on Big-I
> in more detail if you want), but *briefly*, the idea is that you can i)
> prevent lots of kinds of bad information, and ii) deal much better with
> the kinds you can't stop.
> For instance, use of public key cryptography can prevent anyone else from
> originating bad information about connectivity inside or to X - their map
> updates will not be correctly signed with X's private key. Only "auhorized"
> agents of topological entity X (i.e. those allowed to distribute maps or
> abstractions of X, outside X) have the key to sign map data about X.

This would seem to be a red herring.  If you posit the use of PKC for map
distribution it seems only fair to posit its use in a prefix distribution
system.  And this also presumes the existence of a mechanism to derive
prefix authority.  This is thought to be non-trivial.

> It can certainly prevent all unilateral bad information, i.e. based on
> someone incorrectly configuring their routers (or software/hardware bugs).


If we consider a typical link state protocol today (as perhaps a degenerate
example of map distribution), it's trivial to inject bad information and
have it propagate throughout the immediate map.  Further, unless there is
intelligence (aka filtering) between the local map and the global map, it
will tend to propagate globally.

I would tend to agree with you more if we had a system where we had
stronger abstraction boundaries and fewer abstraction violations.  It would
leave us with less need to propagate information from the immediate map to
the global map because we'd simply be propagating the static abstraction
information.  Unfortunately, our inability to do this is more a function of
the address allocation than the information distribution mechanism.  As an
example, consider a utopian world where we had an address assignment which
maintained such strong abstraction boundaries.  Using BGP4, one simply does
proxy aggregation...