On Tue, Jan 13, 2009 at 08:53:42AM -0800, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch <jared@puck.nether.net> wrote:
Does that mean that I hijacked their identiy and forged it? What level of trust do you place in the AS_PATH for your routing, debugging and decision making process?
AS_PATH != identity, and I would not recommend loading the latter onto the former.
But it does represent an interesting thing. Many people treat AS_PATH as identiy, when infact it's not congruent.
Personally, I would be upset if someone injected a route with my ASN in the AS_PATH without my permission.
Why? Is this a theoretical "because it's ugly" complaint, or is there a reason why manipulating this particular BGP attribute in this particular way is so bad? Organizations do filtering and routing manipulation all over the place. Is there something worse about doing it this way than others?
This is not "because it's ugly", but more complex to understand the interaction. People have asserted that injecting an as-path with 2914 will utilize the loop-detection mechanisim to prevent reachability if your transit is from 1239 or 174. Except that 174 filters out these asns from their customers. I've noticed zero complaints since my 'detecting routing leaks by counting' system was presented at nanog that were not actual leaks when too many SFI (tier-1?) asns showed up in a path. While most of the challenge could be uneducated readers of an as-path, without the protocol being changed, it really depends on the elements in the path being genuine. Without this trust, we should all configure our routers to allow our own as in, or work to make it the new default, and ask providers to change their filtering of other SFI asns from their customer as-paths. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.