On Thu, 14 Aug 2008 22:42:04 -0400 Jean-Fran__ois Mezei <jfmezei@vaxination.ca> wrote:
Pardon my ignorance here, but wouldn't it be much simpler if the so called "tier 1" networks were to do the filtering work so that none of downstream BGP peers would see the bad announcements ?
If some network in italy sends out some bogus route for a site, this should be blocked by a few tier 1 networks instead of by everybody at the bottom of the tree. Yeah, that would mean that folks in italy and whoever would have direct connections to that italian network would accept those bad BGP announcements, but the rest of the world would continue to work.
"tier 1" networks like to brag about their importance within the internet, perhaps filtering bad announcments should be a responsability assigned to them, and which would further differentiate them from lesser networks.
Many of them -- most of them? -- do filter, to the extent that they can. However, they're in a poor position to do a complete job. If your peer is an end site, it's easy to filter what they send you; you know (or should know) what address blocks they have. (Verifying that they actually have the right to announce such blocks is a separate and difficult question, but I won't get into that here.) But what if your peer is another Tier 1, or even a lower-level ISP? How can you filter then? Another ISP can, will, and should announce routes to all of its customers, and it's quite hard (impossible, really) for the Tier 1s to track their peers' customers. Worse yet, some of these customers may themselves be ISPs, with their own customers. And if the peer of a Tier 1 is another Tier 1, it's not even possible to imagine how they'd know. --Steve Bellovin, http://www.cs.columbia.edu/~smb