On Mon, 25 Feb 2008, Danny McPherson wrote:
** Paul Wall brought up the fact that even obviously bogus routes (1/8 and 100/7) were accepted by 99% of internet during an experiment.
I'm not sure why this would surprise anyone. To me and you, it's not surprising. To public, it might be. Even the majority of nanog attendees I think would be surprised.
** What I'd like to see discussed: Issues of filtering your transit downstream customers, who announce thousands of routes. Does *anyone* do it?
Lots of folks do. The interesting bit is that even then, those same providers would accept perhaps even those customer routes from their peers implicitly. Well, in this case, they *aren't* filtering! (unless I am misunderstanding what you are saying, due to repeated use of 'their').
** Things like PHAS won't work if hijacker keeps the origin-AS same (by getting their upstream to establish session with different ASN)
NO, that's not even necessary. Simple originate the route from the legit AS, and then transit it with the local AS as a transit AS. AS path manipulation is trivial. Oh yeah, d'oh! Thanks for correction. But that is also an important point against PHAS and IRRPT filtering - they are powerless against truly malicious hijacker (one that would register route in IRR, add the right origin-as to AS-SET, and use correct origin).
** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively working on implementing "chain of trust" of IP space allocations?
* Ways to address the issue without cooperation of 3491: ** Filtering anything coming out of 17557
Bad idea. Obviously :)
** Suggestions given: ** What I'd like to see discussed: Can an network operator, *today*, filter the "possibly bogus" routes from their peers, without manual intervention, and without false positives?
Sure, if they want to dedicate an engineer to it, automate policy deployment and deal with brokenness by turning steam valves. I'd hear to see who does it, and get them to present the "operational lessons" at the next nanog!
* Yelling at people who don't filter
That's been productive for over a decade now.
** Per above, 3491 isn't the only one who filters. In fact, claims were made that *nobody* filters "large enough" downstreams. (beyond aspath/maxpref)
Wrong. Likewise, I'd like to know who does this (names) and how can we get them to present best practices at the next nanog!
-alex