[29409] in North American Network Operators' Group
Re: using IRR tools for BGP route filtering
daemon@ATHENA.MIT.EDU (Danny McPherson)
Thu Jun 22 00:12:29 2000
Message-Id: <200006220411.WAA03901@tcb.net>
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 21 Jun 2000 22:11:03 -0600
Errors-To: owner-nanog-outgoing@merit.edu
> i emphatically DO NOT think that large providers should filter other
> peers. i think the large providers should filter their own announcements,
> by carefully verifying what a downstream wishes to announce before
> accepting it, filtering the customer announcements, and aggregating their
> announcements to peers.
I believe Randy's point is that it'd be really nice to filter prefixes
learned from peers, but even if the routing databases were up to date,
reliable and useful, the routers can't perform the policy matches against
filters fast enough.
And I agree completely. The fact that pretty much any network with an
AS number could take any Internet subnet completely offline in a matter
of -- what, ~8 minutes(?), intentionally or unintentionally, well,
I think it's pretty amazing. The only way a service provider can protect
their customers from this is by applying prefix-based filtering to all
their peers.
Of course, this requires valid, accessible, up to date IP registration
information. It also routers that can store hundreds of thousands of
lines of policies. Then, the routers have to be able to perform matches
on the policies when processing updates. All this is at the "control
plane".
Then, ideally, the routers would be able to utilize the same set of
policies to perform packet filtering functions in the "data plane",
which is even more interesting.
These two components alone would make the overall Internet
infrastructure far more reliable and secure than it is today,
no doubt.
> i think its silly to try and regulate the world from ones own corner.
> regulate your corner, and encourage others to do the same. i don't care if
> said encouragement is by tacit agreememnt, or bound up in legealese in
> peering agreements.
I don't think it's silly at all to regulate the policies one employs in
in their network in order to increase overall destination availability
to ones customers. Policies of this nature only require support of the
network that implements them. Other than requiring peers to keep registry
information up to date, they impact the peer networks no way whatsoever.
-danny
