[150460] in North American Network Operators' Group
Re: do not filter your customers
daemon@ATHENA.MIT.EDU (Danny McPherson)
Fri Feb 24 14:41:43 2012
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <CAL9jLaYbnWuK76zswo0LfU2Z9GxLvhG2FwDoQ0dH9xgxiV=4HQ@mail.gmail.com>
Date: Fri, 24 Feb 2012 14:40:39 -0500
To: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 24, 2012, at 2:29 PM, Christopher Morrow wrote:
>
> I think if we asked telstra why they didn't filter their customer some
> answer like:
> 1) we did, we goofed, oops!
> 2) we don't it's too hard
> 3) filters? what?
>
> I suspect in the case of 1 it's a software problem that needs more
> belts/suspenders
> I suspect in the case of 2 it's a problem that could be shown to be
> simpler with some resource-certification in place
> I suspect 3 is not likely... (or I hope so).
>
> So, even without defining what a leak is, providing a tool to better
> create/verify filtering would be a boon.
Yes, I agree!
What I'd hate to see is:
4) We fully deployed BGPSEC, and RPKI, and upgraded our
infrastructure, and retooled provisioning, operations and processes
to support it all fully, and required our customers and peers to use it,
and even then this still happened - WTF was the point?
This "leak" thing is a key vulnerability that simply can't be brushed
aside - that's the crux of my frustration with the current effort.
-danny
