[107256] in North American Network Operators' Group
Re: Revealed: The Internet's well known BGP behavior
daemon@ATHENA.MIT.EDU (Deepak Jain)
Thu Aug 28 17:47:53 2008
Date: Thu, 28 Aug 2008 17:47:30 -0400
From: Deepak Jain <deepak@ai.net>
To: Alex Pilosov <alex@pilosoft.com>
In-Reply-To: <Pine.LNX.4.44.0808281140240.4124-100000@bawx.pilosoft.com>
Cc: NANOG <nanog@merit.edu>
Reply-To: deepak@ai.net
Errors-To: nanog-bounces@nanog.org
> *) Filtering your customers using IRR is a requirement, however, it is not
> a solution - in fact, in the demonstration, we registered the /24 prefix
> we hijacked in IRR. RIRs need to integrate the allocation data with their
> IRR data.
>
further clarification... [if this is obvious, just skip over the message].
IRR filters helps prevent *accidental* hijacking and *accidental* route
spillage. In that, they seem to do their job. I don't know why people
think that would help prevent a deliberate hijacking job.
I don't think there is enough "trust" in the IP allocation system from
the RIRs yet (trust anchors being the word of the week) to even
contemplate non-repudiation in advertisements yet.
We can go into lots of reasons why the Internet runs this way. I think
we can all agree 1) Its amazing it runs as well as it does, and 2) No
one has clearly articulated a financial reason for any large
organizations to significantly change their interconnection
methodologies over the current BCP [that exceeds the costs of doing so].
Until either of those assertions change, the status quo will essentially
remain.
Alex et al, I apologize if you already covered this in your preso...
One way to help mitigate the effects of this [as a user] is to keep all
of your conversation end points on the same network -- especially if you
run a VPN or similar -- and [rather than scan your traceroutes daily as
someone suggested] scan the IRRs daily to make sure no changes have been
entered for prefixes you care about.
Just some thoughts,
Deepak Jain
