--- Danny McPherson <danny@tcb.net> wrote:
I agree with this, and have seen the document, and have worked for large providers that performed prefix filtering on customers long before IOPS existed.
I know that some ISPs have been doing that but that is not good enough. The key is to have EVERY ISP do it to leave no 'holes' for bad routes to sneak in. And that's the model suggested in the paper.
However, if every ISP performed prefix-based filtering between one another, it'd be improved "a lot more". I recall more than a few instances when providers inadvertently broke other providers customers by "mis-advertising" prefixes.
Agree. The ideal situation is to filter on all interface where external routes come in i.e. filter on peers and customers. I used to work for an ISP (ANS) who filtered all its peers and managed to automatically generate router configurations including huge no. of prefix filtering lines. It did help us to dodge the disaster of AS7007 and other similar incidents. However, it does introduce a lot more work. Also, the toughest part is how often to update the filtering list so no legitimate prefixes be blocked. How big a filter list a router can handle in its configuration is something needs to be investigated since number of prefix lines will be huge for peer to peer filtering. In conclusion, the best is for ISPs to filter on peers and customers. But if they can not do that for peers, at least filter on customers. If all ISPs filter its customers, it's already a big step forward.
And if every ISP performed SA verification between one another (presumably with the same filters) it would again be improved "a lot" more.
-danny
--jessica
If every ISP does prefix based filtering on its downstream customers, the integrity of the Internet routing system will be improved a lot. The document below proposes such a model:
__________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/