tony, all, On Wed, May 25, 2005 at 04:24:07PM -0700, Tony Li wrote:
Fundamentally, there is a serious scalability issue with doing everything at configuration generation time. Since one cannot predict with certainty what AS paths will be seen for which prefix, one would have to authenticate each and every possible path and then encode the authenticated paths in the configuration.
but you don't really have to do this to solve a big chunk of the problem. wouldn't it be a good start to simply be able to authenticate originations? and by originations, i don't just mean the single AS, but i the set of length-2 paths that form the existing originations for a prefix. the list of all prefixes seen in the global table combined with all origination patterns seen for the past 6 months or so is realively easy to produce. the scalability problem, as i understand it (not at all an expert here) is that routers won't currently handle such a list with regexps very well. apparently, ciscos will not allow filtering advertisements on a combination of prefix + as-path regexp at all and junipers will, but the perception is that they will not scale to a list of 300-500K (which is the union of routes in global tables without any consolidation). if you could consolidate all equally originated prefixes under their covering supernets and still adequately filter, that number would be *much* smaller, obviously. t. -- _____________________________________________________________________ todd underwood director of operations & security renesys - interdomain intelligence todd@renesys.com www.renesys.com