[32264] in North American Network Operators' Group
Re: [doable?] peer filtering (was Re: Trusting BGP sessions)
daemon@ATHENA.MIT.EDU (Ran Atkinson)
Wed Nov 15 17:13:52 2000
Message-Id: <4.3.2.7.2.20001115164557.00b1c730@10.30.15.2>
Date: Wed, 15 Nov 2000 16:51:44 -0500
To: "Kevin Oberman" <oberman@es.net>
From: Ran Atkinson <rja@extremenetworks.com>
Cc: nanog@merit.edu
In-Reply-To: <200011152003.eAFK30J26810@ptavv.es.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
At 15:02 15/11/00, Kevin Oberman wrote:
>Since Sprint and UUnet don't seem to be willing to provide information
>in the IRR to allow us to generate access-lists/policies, and not
>peering with these folks would be a Bad Idea(tm), so we can't quite
>filter everyone. (If I could figure out a way to get them to register,
>I'd have fun trying, though.)
Excellent point.
The main deployment limitation of any of the schemes
proposed for enhanced authentication of prefix advertisements
appears to be the unwillingness of certain major ISPs to
provide authenticated information about which prefixes
that service provider claims to be providing service for.
The Routing Registries would be one way to make
that data available, however the folks who don't want to
participate in the RRs also seem uncomfortable providing
the same data via some other method that can be authenticated.
Offhand, I don't know which service providers have
this reluctance. Its clear that at least some major service
providers do have such a reluctance. Until resolved, this
will be a significant deployment hindrance for better methods
(e.g. S-BGP or the other proposed approaches) of protecting
against inaccurate/false/accidental prefix advertisements.
Sigh.
Ran
rja@extremenetworks.com
DISCLAIMER: Speaking for myself here, not my employer.
Flames to /dev/null please.
