[43984] in North American Network Operators' Group
Re: Fwd: Re: Digital Island sponsors DoS attempt?
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Mon Oct 29 17:01:24 2001
Message-Id: <200110291953.f9TJr5H57359@as.vix.com>
To: nanog@merit.edu
In-Reply-To: Message from Jeffrey Haas <jhaas@nexthop.com>
of "Mon, 29 Oct 2001 14:26:07 EST." <20011029142607.G19133@nexthop.com>
Date: Mon, 29 Oct 2001 11:53:05 -0800
From: Paul A Vixie <vixie@vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
> As an infrastructure owner, the important thing is that if you're
> going to announce reachability, it should be real. If you blackhole
> stuff in the middle of a netblock and distribute it as an untainted
> netblock in your BGP, you're depriving people of clean routes.
ok, so how do you handle a situation like orbs/abovenet as in late 1999?
a /16 owned by a transit customer of as6461 had in it a /24 used by orbs.
the orbs traffic violated as6461's aup, which the /16's owner had signed.
the /16 owner had a less restrictive aup for its downstreams (including
orbs) than as6461 had, and thus had a weak contractual basis for enforcing
the as6461 aup on orbs. as6461 had three possible choices: (a) ignore it
and hope the nonuniform enforcement of the aup didn't show up as a problem
elsewhere at a later time; (b) disconnect orbs' upstream on the basis of
their inability to conform to the aup they had signed; or (c) block traffic
to/from the /24 in question after carefully notifying the /16 owner that
this would be done and why.
as we all know, (c) was chosen. great was the hue and even greater the cry.
a recommendation was even made that if as6461 wasn't going to carry the whole
/16 that it ought to chop it up and only advertise the parts it could reach,
in spite of what these more-specifics would have done to the /16 owner's own
routing policy (they were multihomed.)
what would YOU have done? justify your answer. (show all work.)
