[151099] in North American Network Operators' Group
Re: filtering /48 is going to be necessary
daemon@ATHENA.MIT.EDU (Arturo Servin)
Sun Mar 11 15:27:59 2012
In-Reply-To: <8CB8B760-21D4-4E90-9C8B-F8DAD0906083@muada.com>
From: Arturo Servin <arturo.servin@gmail.com>
Date: Sun, 11 Mar 2012 13:30:54 -0600
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 11 Mar 2012, at 09:48, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
> On 9 Mar 2012, at 10:02 , Jeff Wheeler wrote:
>=20
>> The way we are headed right now, it is likely that the IPv6 address
>> space being issued today will look like "the swamp" in a few short
>> years, and we will regret repeating this obvious mistake.
>=20
>> We had this discussion on the list exactly a year ago. At that time,
>> the average IPv6 origin ASN was announcing 1.43 routes. That figure
>> today is 1.57 routes per origin ASN.
>=20
> The IETF and IRTF have looked at the routing scalability issue for a long t=
ime. The IETF came up with shim6, which allows multihoming without BGP. Unfo=
rtunately, ARIN started to allow IPv6 PI just in time so nobody bothered to a=
dopt shim6. I haven't followed the IRTF RRG results for a while, but at some=
point LISP came out of this, where we basically tunnel the entire internet s=
o the core routers don't have to see the real routing table.
>=20
> But back to the topic at hand: filtering long prefixes. There are two reas=
ons you want to do this:
>=20
> 1. Attackers could flood BGP with bogus prefixes to make tables overflow
>=20
> 2. Legitimate prefixes may be deaggregated so tables overflow
>=20
> It won't be quick or easy, but the RPKI stuff should solve 1.
>=20
>=20
Unless the attacker uses the same origin AS that is in the ROA. Probably it w=
on't hijack the traffic but it may create a DoS or any other kind of problem=
.
Regards,
as=
