[14539] in North American Network Operators' Group
Re: Deciding whose network block is whose?
daemon@ATHENA.MIT.EDU (Sean M. Doran)
Tue Jan 6 14:24:34 1998
To: Geoff Huston <gih@telstra.net>
Cc: Sean Donelan <SEAN@SDG.DRA.COM>, nanog@merit.edu
From: "Sean M. Doran" <smd@clock.org>
Date: 06 Jan 1998 11:13:47 -0800
In-Reply-To: Geoff Huston's message of "Tue, 30 Dec 1997 11:27:25 +1100"
Geoff Huston <gih@telstra.net> writes:
> I am looking to the regional registeries to take some level of initiative
> and provide clients of their address allocation service the ability to
> sign the allocation and then the client can sign the routing request to the
> provider which the provider can verify against the regional registry.
> We went through this in discussion in the room at the time and it
> looked like a viable and useful approach.
Yes, but this is only part of the problem.
I mean, fantastic idea, but then it's not exactly
transitive. How do I know I can trust that Telstra's
announcements have been authorized by the people
responsible for the prefixes in question? Worse, since I
do not talk directly with Telstra, how do I know I can
trust the intermediary networks not to have performed (or
fallen victim to) AS path surgery?
Moreover, other than prefix-length filtering, what can I
do to prevent falling victim to subnet-announcement
attacks? Note that a larger CIDR block can still fall
victim to announcements of /19s in networks which use The
Satanic Filters.
Perhaps you have some idea other than mine (prayer) for
scalably solving these and similar issues?
Sean.
