[107267] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Fri Aug 29 02:46:36 2008
Date: Fri, 29 Aug 2008 08:46:28 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Brian Dickson <briand@ca.afilias.info>
In-Reply-To: <48B725E2.9000403@ca.afilias.info>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, 28 Aug 2008, Brian Dickson wrote:
> However, if *AS-path* filtering is done based on IRR data, specifically
> on the as-sets of customers and customers' customers etc., then the
> attack *can* be prevented.
Yes, but I can't do this for everybody else. Doing AS-path and prefix
filtering (matching that a certain prefix can only be announced by a
certain AS) doesn't scale in IOS for instance.
We do prefix filtering for OUR customers, but there is no feasable way for
me to do this for everybody else. I think this needs to be fixed, but it
involves something new that isn't present today, and I think it needs to
involve vendors because they need to produce new code to handle it.
--
Mikael Abrahamsson email: swmike@swm.pp.se
