[56591] in North American Network Operators' Group
Re: 69/8...this sucks
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Tue Mar 11 05:57:23 2003
Date: Tue, 11 Mar 2003 10:56:36 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Owen DeLong <owen@delong.com>
Cc: nanog@merit.edu
In-Reply-To: <2147483647.1047316576@dhcp156-251.corp.tellme.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 10 Mar 2003, Owen DeLong wrote:
> It seems to me that it would be relatively simple to solve this problem by
> doing the following:
>
> 1. ICANN (or an ICANN designee, such as ARIN) shall issue an ASN range
> of 20 ASNs to be used as BOGON-ORIGINATE.
Why not just one or private/reserved?
> 2. Each RIR should operate one or more routers with an open peering
> policy which will perform the following functions:
>
> A. Advertise all unissued space allocated to the RIR as
> originating from an ASN allocated to <RIR>-BOGON.
>
> B. Peer with the corresponding routers at each of the other
> RIRs and accept and readvertise their BOGON list through
> BGP.
>
> C. Provide a full BOGON feed to any router that chooses to
> peer, but not accept any routes or non-BGP traffic from
> those routers.
Of course, configure it wrong and you would end up sending all the junk that you
would have null routed to your RIR. Sounds messy.
Whats more I can see potential whenever we start creating these kind of self
propagating blackholes for hackers to introduce genuine address blocks to create
a DDoS.
>
>
> 3. Any provider which wishes to filter BOGONs could peer with the
> closest one or two of these and set up route maps that modify
> the next-hop for all BOGONs to be an address which is statically
> routed to NULL0 on each of their routers.
How many ebgp sessions do the RIRs need to maintain?? A lot.. and the
maintenance would be a nightmare. Dont think this will work purely because of
that overhead you create!!
Steve
> Apologies if this has been discussed before, but, it seems to me that this
> is the easiest way to make the data readily available to the community
> directly from the maintainers of the databases in a fashion which is
> automatically up to date.
There are other ways that dont use BGP peering to create lists that are more
suitable
Steve
