Exactly there is 3 types of the neighbours: - trusted (for example, I hope MCI should be trusted for everyone; you can't build access filter for it);
Not according to two of the presentations at nanog. Of course, being too lazy to ask the question, I remained in my seat :). Anyways, both the IOPS proposal and origin authentication assume that you are going to be looking up a hefty amount of routes against either an RR database or some dns tree to validate that the information that you are receiving is correct. Caching or not, this is not a good way to go about solving the problem (if it even exists on a large scale... Paul may have some information about spammers doing this?)
- we get info from RIPE or some other DBA (usially it's some peers); - we maintain routing info ourself (customers and some small ISP here).
Generally, our response is to use the routing registries to build policy from the customer end (i.e. ensuring that our customers are doing the right thing). That way, we will not be responsible for any prefixes injected into the global routing table. Our upstreams as well make some attempt to verify that our information is correct (though it may be only through as path access lists. I think that this is the best solution to the problems talked about today. Ensure that you are not the problem and eventually the clue factor will propogate around the network (though it seems to have a really slow convergence time :). If everyone ensured that neither they nor their customers are responsible for the problems, the world would be that much a better place. I'll stop the idealistic crusade now, but it would be nice.. BR brad reynolds brad@iagnet.net IAGnet/CICnet