On 11 Mar 2012, at 09:48, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On 9 Mar 2012, at 10:02 , Jeff Wheeler wrote:
The way we are headed right now, it is likely that the IPv6 address space being issued today will look like "the swamp" in a few short years, and we will regret repeating this obvious mistake.
We had this discussion on the list exactly a year ago. At that time, the average IPv6 origin ASN was announcing 1.43 routes. That figure today is 1.57 routes per origin ASN.
The IETF and IRTF have looked at the routing scalability issue for a long time. The IETF came up with shim6, which allows multihoming without BGP. Unfortunately, ARIN started to allow IPv6 PI just in time so nobody bothered to adopt shim6. I haven't followed the IRTF RRG results for a while, but at some point LISP came out of this, where we basically tunnel the entire internet so the core routers don't have to see the real routing table.
But back to the topic at hand: filtering long prefixes. There are two reasons you want to do this:
1. Attackers could flood BGP with bogus prefixes to make tables overflow
2. Legitimate prefixes may be deaggregated so tables overflow
It won't be quick or easy, but the RPKI stuff should solve 1.
Unless the attacker uses the same origin AS that is in the ROA. Probably it won't hijack the traffic but it may create a DoS or any other kind of problem. Regards, as