[81128] in North American Network Operators' Group
Re: soBGP deployment
daemon@ATHENA.MIT.EDU (Todd Underwood)
Thu May 26 06:22:52 2005
Date: Thu, 26 May 2005 06:22:26 -0400
From: Todd Underwood <todd@renesys.com>
To: nanog@nanog.org
In-Reply-To: <42950917.3070609@tony.li>
Errors-To: owner-nanog@merit.edu
tony, all,
On Wed, May 25, 2005 at 04:24:07PM -0700, Tony Li wrote:
> Fundamentally, there is a serious scalability issue with doing
> everything at configuration generation time. Since one cannot predict
> with certainty what AS paths will be seen for which prefix, one would
> have to authenticate each and every possible path and then encode the
> authenticated paths in the configuration.
but you don't really have to do this to solve a big chunk of the
problem. wouldn't it be a good start to simply be able to
authenticate originations? and by originations, i don't just mean the
single AS, but i the set of length-2 paths that form the existing
originations for a prefix.
the list of all prefixes seen in the global table combined with all
origination patterns seen for the past 6 months or so is realively
easy to produce.
the scalability problem, as i understand it (not at all an expert
here) is that routers won't currently handle such a list with regexps
very well. apparently, ciscos will not allow filtering advertisements
on a combination of prefix + as-path regexp at all and junipers will,
but the perception is that they will not scale to a list of 300-500K
(which is the union of routes in global tables without any
consolidation). if you could consolidate all equally originated
prefixes under their covering supernets and still adequately filter,
that number would be *much* smaller, obviously.
t.
--
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com www.renesys.com
