On Thu, 14 Aug 2008, Steven M. Bellovin wrote:
Many of them -- most of them? -- do filter, to the extent that they can. However, they're in a poor position to do a complete job.
What I would like is to be able to filter prefixes on the basis of the AS-path/prefix combination, and have this in a signed fashion. So let's say an ISP has AS1 and their upstreams are AS2 and AS3. They have 10.0.5.0/16. They will then publish a routing policy that AS* (any AS) should only accept 10.0.5.0/16 originated from AS1, and no more specifics, but AS2 and AS3 should accept more specifics down to /24 (for granular traffic control). For this to be secure, I guess the announcement needs some kind of cryptographic verification, but I don't know much about that, but that should be used as well, but even without it we stop the possibility of human error announcing breakouts or that /16 by someone else. Now, building existing prefix/AS-path lists based on the above information isn't feasable. We have ~30k ASN live and 270k prefixes so the amount of lines in a config is just unfeasable, which means we need some kind of new strategy to handle all this policy information. I guess having some kind of policy server which receives routes and then can tell routers to ignore them if they don't adhere to policy might work if the routes seen which is not according to policy are few, but if they become many then we run into the same scaling problem again. So perhaps this problem can't be solved by anything existing, but instead we need new functionality in our routers to handle this problem? So time to market on this is in the years, but if we don't start work on it it'll never get done. But I do feel that any long-term solution needs to be distributed and implemented on a per ASN basis, where participating ASNs doesn't have to be directly connected to each other... -- Mikael Abrahamsson email: swmike@swm.pp.se