[81052] in North American Network Operators' Group
Re: the problems being solved -- or not
daemon@ATHENA.MIT.EDU (Russ White)
Tue May 24 07:42:25 2005
Date: Tue, 24 May 2005 07:41:49 -0400 (Eastern Daylight Time)
From: Russ White <ruwhite@cisco.com>
Reply-To: Russ White <riw@cisco.com>
To: Pekka Savola <pekkas@netcore.fi>
Cc: Tony Li <tony.li@tony.li>, Randy Bush <randy@psg.com>,
Geoff Huston <cidr-report@potaroo.net>,
Bill Manning <bmanning@ep.net>, nanog@nanog.org
In-Reply-To: <Pine.LNX.4.61.0505240937010.4256@netcore.fi>
Errors-To: owner-nanog@merit.edu
> Let's look at Tony's points above. These solutions cannot deal with the
> last case, i.e., the "owner" of the prefix decides to advertise more
> specifics (and the ISPs pass that crap through). Then we're left with
> attacks where someone else advertises an equal route, or someone
> advertises a more specific.
One of the various policies available within the soBGP specs is the ability
for the owner of an address block to state: "The longest prefix within this
block will be /x." This means that if you own 10.1.0.0/16, you can say:
"The longest prefix length within 10.1.0.0/16 will be a /17." Or you can
say: "The longest prefix within 10.1.0.0/17 will be a /18, and the longest
within 10.1.1.0/17 will be a /20." Now, if someone attempts to steal your
traffic by advertising a longer prefix, anyone actually checking would toss
their routes.
Yes, you could advertise the same length, of course, but then, if the
origin doesn't match, and/or the AS Path is bogus, they're toast, as well.
:-)
Russ
__________________________________
riw@cisco.com CCIE <>< Grace Alone
