If every ISP does prefix based filtering on its downstream customers, the integrity of the Internet routing system will be improved a lot. The document below proposes such a model: http://www.iops.org/Documents/routing.html --Jessica --- Danny McPherson <danny@tcb.net> wrote:
i emphatically DO NOT think that large providers should filter other peers. i think the large providers should filter their own announcements, by carefully verifying what a downstream wishes to announce before accepting it, filtering the customer announcements, and aggregating their announcements to peers.
I believe Randy's point is that it'd be really nice to filter prefixes learned from peers, but even if the routing databases were up to date, reliable and useful, the routers can't perform the policy matches against filters fast enough.
And I agree completely. The fact that pretty much any network with an AS number could take any Internet subnet completely offline in a matter of -- what, ~8 minutes(?), intentionally or unintentionally, well, I think it's pretty amazing. The only way a service provider can protect their customers from this is by applying prefix-based filtering to all their peers.
Of course, this requires valid, accessible, up to date IP registration information. It also routers that can store hundreds of thousands of lines of policies. Then, the routers have to be able to perform matches on the policies when processing updates. All this is at the "control plane".
Then, ideally, the routers would be able to utilize the same set of policies to perform packet filtering functions in the "data plane", which is even more interesting.
These two components alone would make the overall Internet infrastructure far more reliable and secure than it is today, no doubt.
i think its silly to try and regulate the world from ones own corner. regulate your corner, and encourage others to do the same. i don't care if said encouragement is by tacit agreememnt, or bound up in legealese in peering agreements.
I don't think it's silly at all to regulate the policies one employs in in their network in order to increase overall destination availability to ones customers. Policies of this nature only require support of the network that implements them. Other than requiring peers to keep registry information up to date, they impact the peer networks no way whatsoever.
-danny
__________________________________________________ Do You Yahoo!? Send instant messages with Yahoo! Messenger. http://im.yahoo.com/