IETF Logo Mail Archive

Re: [RPSEC] FW: AS 8437 announced a quarter of the net for half ofan hour

Iljitsch van Beijnum <iljitsch@muada.com> Wed, 16 August 2006 13:23 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDLNB-0001Fo-AZ; Wed, 16 Aug 2006 09:23:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDLNA-0001Aa-7y for rpsec@ietf.org; Wed, 16 Aug 2006 09:23:52 -0400
Received: from [2001:1af8:2:5::2] (helo=sequoia.muada.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GDLN6-0001HC-TV for rpsec@ietf.org; Wed, 16 Aug 2006 09:23:52 -0400
Received: from [172.31.120.147] (ip-217-21-248-22.user2000.de [217.21.248.22] (may be forged)) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id k7GDN8Fc018526 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Wed, 16 Aug 2006 15:23:08 +0200 (CEST) (envelope-from iljitsch@muada.com)
In-Reply-To: <200608161305.k7GD53L5058305@workhorse.brookfield.occnc.com>
References: <200608161305.k7GD53L5058305@workhorse.brookfield.occnc.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <1677AFC4-AAF1-4EBD-AD63-9F2C4C6FBFBC@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: [RPSEC] FW: AS 8437 announced a quarter of the net for half ofan hour
Date: Wed, 16 Aug 2006 15:23:40 +0200
To: curtis@occnc.com
X-Mailer: Apple Mail (2.752.2)
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sequoia.muada.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

On 16-aug-2006, at 15:05, Curtis Villamizar wrote:

> Much of the current problems were solved problems in the early 1990s.
> To get to most of the Internet you had to go through the NSFNET.  To
> get anything through the NSFNET you had to register routes.  The
> NSFNET didn't have the types of problems we are now seeing.  The
> commercial providers of the time did.

Yes; but the NFSnet didn't have to maintain filters for 25k ASes and  
several times that number in routes. I don't think generating  
comprehensive filters using current technology is a reasonable  
solution. _Maybe_ if the router vendors implement better ways to get  
the filters into their boxes. But then you still have the issue of  
trusting a database somewhere. In the NFSnet days those weren't all  
that secure. This has gotten better (especially for the RIPE db  
because it's also a registry DB) and will be even better when we have  
certificates in those databases, but I'm still reluctant to have  
filters change on me automatically.

What I thought you meant was better defaults so it's not so  
incredibly easy to leak routes. The default is to propagate, wrong  
filter = leak. With a default that doesn't propagate, all of this  
gets a lot easier, but of course there are still ways to screw that up.

It may even be a good approach to have default "transit", "peer" and  
"customer" classes so that people only have to say what type a link  
is and the filtering happens automatically, at least for those of us  
who don't need more complexity than this.

Iljitsch

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email