On (2006-07-21 11:38 -0400), Joe Abley wrote:
That seems to me like another perfectly valid approach, and one that already exists to some extent (e.g. by pre-poisoning AS_PATH attributes with AS numbers of remote networks that you don't want to accept particular routes). I'm told that IDRP has inclusion and exclusion lists which provide more exhaustive implementation of this kind of idea, too.
Oh, cool idea, indeed 'as exclude' mechanism is there, but I'm sure I'd be frowned upon advertising such routes today. 'as include' otoh. is not there.
However, for some applications those mechanisms rely on knowing the topology one or more AS hops away from your network; AS_PATHLIMIT doesn't. To my eye the two approaches seem complementary.
Absolutely complementary. The 'original' problem I was thinking, really needed both, as point was to find how 'deep' in Internet your DoS sources are, then as you've indentified the depth, you have smaller subset of AS#'s that you could iterate with include/exclude to pinpoint source of certain traffic, even if they were spoofing. But that idea has several problems that might make it unfeasible, nevertheless the traffic engineering applications remain.
[To be clear, incidentally, Tomy, Rex and I made no claim to be the original authors of the idea we were documenting in this draft:
ACK, I did notice that, I'm sure most people have thought about it at one point or another in their networking career :). I hope it'll be implemented. Thanks, -- ++ytti