[88287] in North American Network Operators' Group
Re: So -- what did happen to Panix?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Fri Jan 27 12:00:21 2006
In-Reply-To: <DAC122B3-6147-4729-9932-45920AE284FE@isc.org>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Fri, 27 Jan 2006 11:58:47 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On Jan 27, 2006, at 11:39 AM, Joe Abley wrote:
> On 27-Jan-2006, at 11:12, bmanning@vacation.karoshi.com wrote:
>
>> but by definition, the right-most entry is the prefix origin...
>
> Suppose AS 9327 decides to originate 198.32.6.0/24, but prepends
> 4555 to the AS_PATH as it does so. Suppose 9327's uses a transit
> provider which builds prefix filters from the IRR, and the "as9327"
> aut-num object is modified to include policy which suggests 9327
> provides transit for 4555. Suppose this is not actually the case,
> though, and in fact 9327 is a rogue AS which is trying to capture
> 4555's traffic.
>
> The rest of the world sees a prefix with an AS_PATH attribute which
> ends with "9327 4555".
>
> In this case, from the point of view of those trying to discern
> legitimacy of advertisements, what is the origin of the prefix? Is
> it 4555, or 9327?
>
> Is it possible to tell, from just the right-most entry in the
> AS_PATH attribute?
Suggested solutions do not have to solve every possible problem.
Knowing the "correct" origin will stop accidental announcements, like
the one under discussion in this thread.
And, I suspect, most problems we see today of this sort. We are not
(yet) to the point where maliciously originated prefixes are as big a
problem as accidentally originated prefixes.
--
TTFN,
patrick
