[153402] in North American Network Operators' Group
Re: ROVER routing security - its not enumeration
daemon@ATHENA.MIT.EDU (Randy Bush)
Tue Jun 5 17:01:37 2012
Date: Tue, 05 Jun 2012 14:00:49 -0700
From: Randy Bush <randy@psg.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <CAL9jLaYV-k2dhNCDiBy2iEEXXx49b-8YhTOy7Btqj3DpsWnECw@mail.gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>>> routing protection without enumeration.
>>> I can see a use-case for something like:
>>> =A0 "Build me a prefix list from the RIR data"
>> this requires a full data fetch, not doable in dns.
> does it? shane implied (and it doesn't seem UNREASONABLE, modulo some
> 'doing lots of spare queries') to query for each filter entry at
> filter creation time, no?
what is the query set, every prefix /7-/24 for the whole fracking ABC
space?
> that could be optimized I bet, but it SEEMS doable, cumbersome, but
> doable. the 'fail open' answer also seems a bit rough in this case
> (but no worse than 'download irr, upload to router, win!' which is
> today's model).
irr, i do have the 'full' set. but you said RIR (the in-addr roots),
not IRR. was it a mis-type?
and i am not gonna put my origin data in the irr and the dns.
randy
