On Sun, Jan 30, 2011 at 3:23 AM, Andrew Alston <aa@tenet.ac.za> wrote:
I've just noticed that Level 3 is allowing people to register space in its IRR database that A.) is not assigned to the people registering it and B.) is not assigned via/to Level 3.
This is not unique to Level3 -- it is the industry standard practice and has been since the dawn of time. You must be a Level3 customer to have a mntner: for publishing to their IRR database (in theory.) Since there isn't an automatic mechanism for verifying that a given ISP is really allowed to originate a route (or provide transit for an AS, etc.) there is simply no practical way to change this at this time, without processing updates manually (and introducing human error into that yes/no authorization check.) IRR is a convenience that many networks rely on. When done correctly, this is not a bad idea by any means. In theory, RPKI will fix the real problem you are addressing -- that it is really difficult to verify whether or not a neighboring AS is allowed to carry a given route. In practice, vendors need to support it on routers, networks need to upgrade, ARIN (and other RIRs) need to do their part, and thousands of auto-pilot networks will need to be hand-held by their ISPs in order to make this happen. How soon theory can become reality is not easy to predict. How many networks have ubiquitous support for 32 bit ASN? IPv6? RPKI is a bastard thing created out of a perceived (perhaps correctly) need for real security, when in fact basically all of the events that have led to its creation (except for some scare-tactic papers and presentations) were not deliberate. This brings me to my point, which is that IRR is very good for preventing accidents and automating some common tasks. It should be "secure" to a point, but just because a route: object exists does not mean that mntner: really has authority over that address space. You can pretty much rely on the fact that the given origin AS is intentionally announcing the route, as opposed to leaking it by accident. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts