[32283] in North American Network Operators' Group
Re: [doable?] peer filtering (was Re: Trusting BGP sessions)
daemon@ATHENA.MIT.EDU (John Fraizer)
Thu Nov 16 04:40:31 2000
Date: Thu, 16 Nov 2000 04:38:33 -0500 (EST)
From: John Fraizer <nanog@EnterZone.Net>
To: nanog@merit.edu
In-Reply-To: <20001116102126.D32037@noris.de>
Message-ID: <Pine.LNX.4.21.0011160435130.17744-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 16 Nov 2000, Kurt Kayser wrote:
>
> Hi,
>
> On Wed, Nov 15, 2000 at 02:50:37PM -0800, Sean Donelan wrote:
> >
> > No I'm not suggesting basing it on what a provider is currently
> > advertising. But rather on what the provider has registered and
> > is authorized to announce. The set of authorized routes may be
> > the same or a superset of what the routes the provider is currently
> > announcing.
> >
> > If you want asymetric routes, you can register and authorize traffic
> > via either route; and then dynamically announce which route you want
> > to use moment to moment.
>
> How about not storing filter-information in configuration space, rather do
> dynamic lookup via directory-lookups (that could driven by RPSL via LDAP ) ?
> Since a BGP-update is done just near-real-time a split-second lookup would
> certainly not delay the routing-table calculation, but rather provide a
> centralized method to maintain policy information.
>
> These things change anyway so fast that accuracy is difficult on daily update
> basis. It would also allow very fast elimination of networks that do harmful
> things (spam, DOS, etc..)
>
> Kurt Kayser
> --
> noris network AG / Kilianstrasse 142 \ 90425 Nuernberg
> Tel. (0911) 9352-0 / Fax (0911) 9352-100 \ info@noris.net
>
How do you suppose the router is going to be able to get to the database
server? It has to have a route to the database server and until it does,
it can not even verify that it should accept that route.
---
John Fraizer
EnterZone, Inc
