[29420] in North American Network Operators' Group
Re: using IRR tools for BGP route filtering
daemon@ATHENA.MIT.EDU (Jessica Yu)
Thu Jun 22 14:37:54 2000
Message-ID: <20000622183319.6124.qmail@web3001.mail.yahoo.com>
Date: Thu, 22 Jun 2000 11:33:19 -0700 (PDT)
From: Jessica Yu <jyy_99@yahoo.com>
To: danny@tcb.net, nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
If every ISP does prefix based filtering on its
downstream customers, the integrity of the Internet
routing system will be improved a lot. The document
below proposes such a model:
http://www.iops.org/Documents/routing.html
--Jessica
--- Danny McPherson <danny@tcb.net> wrote:
>
>
> > i emphatically DO NOT think that large providers
> should filter other
> > peers. i think the large providers should filter
> their own announcements,
> > by carefully verifying what a downstream wishes to
> announce before
> > accepting it, filtering the customer
> announcements, and aggregating their
> > announcements to peers.
>
> I believe Randy's point is that it'd be really nice
> to filter prefixes
> learned from peers, but even if the routing
> databases were up to date,
> reliable and useful, the routers can't perform the
> policy matches against
> filters fast enough.
>
> And I agree completely. The fact that pretty much
> any network with an
> AS number could take any Internet subnet completely
> offline in a matter
> of -- what, ~8 minutes(?), intentionally or
> unintentionally, well,
> I think it's pretty amazing. The only way a service
> provider can protect
> their customers from this is by applying
> prefix-based filtering to all
> their peers.
>
>
> Of course, this requires valid, accessible, up to
> date IP registration
> information. It also routers that can store
> hundreds of thousands of
> lines of policies. Then, the routers have to be
> able to perform matches
> on the policies when processing updates. All this
> is at the "control
> plane".
>
> Then, ideally, the routers would be able to utilize
> the same set of
> policies to perform packet filtering functions in
> the "data plane",
> which is even more interesting.
>
> These two components alone would make the overall
> Internet
> infrastructure far more reliable and secure than it
> is today,
> no doubt.
>
> > i think its silly to try and regulate the world
> from ones own corner.
> > regulate your corner, and encourage others to do
> the same. i don't care if
> > said encouragement is by tacit agreememnt, or
> bound up in legealese in
> > peering agreements.
>
> I don't think it's silly at all to regulate the
> policies one employs in
> in their network in order to increase overall
> destination availability
> to ones customers. Policies of this nature only
> require support of the
> network that implements them. Other than requiring
> peers to keep registry
> information up to date, they impact the peer
> networks no way whatsoever.
>
> -danny
>
>
>
__________________________________________________
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
http://im.yahoo.com/
