[88162] in North American Network Operators' Group
Re: preventing future situations like panix
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Mon Jan 23 15:52:44 2006
Date: Mon, 23 Jan 2006 15:52:16 -0500
From: Thor Lancelot Simon <tls@netbsd.org>
To: Josh Karlin <karlinjf@cs.unm.edu>
Cc: nanog@nanog.org
In-Reply-To: <71051fe20601231147s1bf5dccqdbdce24ebfdd7b69@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
On Mon, Jan 23, 2006 at 12:47:38PM -0700, Josh Karlin wrote:
>
> Suspicious routes are those that originate at an AS that has not
> originated the prefix in the last few days and those that introduce
> sub-prefixes. Sub-prefixes are always considered suspicious (~1 day)
> and traffic will be routed to the super-prefix for the suspicious
> period.
So, if you consider the recent Cone-D hijacking incident, it seems to
me that:
1) Cone-D's announcement of _some_ of the prefixes they announced would
have been considered "suspicious" -- but not all, since some of the
prefixes in question were for former customers or peers who had only
recently terminated their business arrangements with Cone-D.
2) Panix's first, obvious countermeasure aimed at restoring their
connectivity -- announcing their own address space split in half --
would *also* have been considered suspicious, since it gave two
"sub-prefixes" of what Cone-D was hijacking.
Unless I misunderstand what you're proposing -- which is entirely possible,
in fact perhaps even likely -- it seems to me that it might well have done
at least as much harm as good.
Thor
