On Mon, Jan 31, 2011 at 3:55 PM, Andree Toonk <andree+nanog@toonk.nl> wrote:
.-- My secret spy satellite informs me that at 11-01-31 12:11 PM Christopher Morrow wrote:
yes, but what is the way forward?
Not sure, that was my original question: Are there any suggestions or recommendations for how to handle these cases?
So... I think we should keep in mind that rPKI provides some in-protocol (and on-router) certificate checking bits (this is over simplified, on purpose). Those things allow you to validate routing data as you see it on the device, and take some policy steps to react to that decision. The other thing that rPKI gets us to is the ability to create and maintain prefix-list (or equivalent) data for routers in an automatedand verifiable manner. You could validate the prefixes your customers/peers claim to have with some cryptographic assurance... that data is tied to the allocation hierarchy, and it's kept updated by the allocation chain (IANA->RIR->NIR->LIR->EndUser). So, maybe the answer is folks will be able to better/quicker/more-accurately maintain bgp filters and drop this sort of problem in Adj-Rib-In ? -Chris