--> From: "Milo S. Medin" (NASA ARC NSI Office) <medin@nsipo.nasa.gov>
Mark, the main problem for us is if you don't filter out the 97 some odd nets out of the AS 1957 routes you send us. If you are willing to do that, then we still don't have any new administrative load, and from NSI's point of view, we're happy. Did I read your statement right? If so, we'd definitely like to take you up on this offer!
If you don't want to hear about the ~97 nets AND you don't do default routing then you are fine. In other words, you read Mark correctly and are fine. This situation is not a problem UNLESS you point default.
You say: "For regionals using default, it isn't possible to prevent traffic from being sent from the regional to the CIX."
Pointing default is, in a sense, like stating that you trust the network to which you default (and all of its peers) with your packets. You have given up your only means of controlling your traffic. I've even heard someone state that "pointing default is a kludge." If not a kludge, it is certainly a substitute for horsepower (which may be a financial even technical consideration) that affords no mechanism to enforce one's own policy. You can then ask someone else to enforce your policy for you but if they say they can't...
This is true, given a certain set of assumptions, such as that the ENSS and CNSS's having the same set of routes. If the ENSS did not install the 97 nets etc, in it's routing table, then since it didn't have default, it would generate net unreachable messages and the traffic wouldn't flow. Given that I thought this kind of thing was possible given your implementation and use of IBGP and such, then this shouldn't be that hard. Again, please correct me if I'm offbase here.
You're both correct and offbase. It is true that IF the ENSSes did not install the routes you would have solved the problem FOR EVERYONE USING THE ENSS (all of whom may not have the same policy restrictions). It is not true that "given your implementation and use of IBGP and such" ANS can do this. As I understand it, intra-domain protocols (IBGP, IIDRP) have as a design basis the assumption that all internal neighbors have full disclosure of routing information between themsleves. Regardless, the implementation that ANS uses does not support this feature. One option (as Vince Fuller pointed out while I typed this) is to do IBGP with CNSSes and have each ENSS peer with both the regional and the CNSS IBGP mesh. This is effective but ugly. Besides slowing the propagation of routes within the backbone, it adds 2 ASes to the AS path, uses up AS numbers like they are going out of style, and accomplishes nothing more than a regional could if it had the horsepower to enforce its own policy restrictions.
You certainly could argue that this sort of thing is necessary for ANS to serve it's member network's needs for CO+RE service. The real question is whether or not it is possible to do this and not increase the administra tive load of non-participating regionals under your NSFNET agreement. The key to resolving the latter question is how much flexibility you guys have with the import and export of routing information into the routing tables of the ENSS's, and to be honest, I have only peripheral knowledge of the current way routes are sent around inside the T3 system (not because you guys are being secretive, just that I haven't been following this very closely due to work load problems).
Yes, one could argue that but as I stated it is not possible to do this without kludges and even with such kludges, it would still be effective only on an ENSS (router) basis and not on an AS basis. I believe, as Mark said, that currently the architecturally clean thing to do is to try to get each AS to control their own policy, hopefully in a spirit of cooperation and disclosure with its peers. That way the backbone can forward packets as effectively as possible, stopping only to do minimal verification of ownership of networks and regionals can make/implement decisions whenever they choose without a backbone provider serving as middleman.
Thanks, Milo
I guess I see this as a step in the right direction. But then I dream of an AUP-less world full of white picket fences... I wear only my own hats and I route my opinions under the same policy, eric