Karl wrote:
Fascistic filtering breaks connectivity.
Please explain this. I do not think that strict filtering of routes necessarily detracts from sustained connectivity. While it may decrease the elasticity of the net, and it may delay the time for new networks to be connected, properly thought out routing policies can properly effect sturdy, efficient networks.
Sure. Routing policies are not the same thing as fascistic filtering. If your policy amounts to preventing certain prefixes from being announced to your network then you have by definition made it impossible to reach those sites from your backbone. This breaks connectivity.
So you trade a *risk* of broken connectivity for KNOWN broken connectivity?
Yes, actually, I would. It comforts me to know that there are two more hurdles placed in network X's way so that our routes can not be spoofed across the world.
But your routes *can* still be spoofed. This is the problem. Until and unless you can define exactly what the locus of "your routes" is, you have the problem. The route server approach *tries* to define this, and in fact it probably does (or can do) a reasonable job. Absent this kind of registry, filtering announcements may *appear* to make things more stable, but it fails to provide the widest connectivity and in fact just makes sites permanently unreachable.
Sounds like a poor trade to me, and one which, undertaken consciously and with knowledge of the repercussions, leaves you with being less than a full Internet connectivity provider.
By filtering the routes that an ISP allows they are less than a full ISP?!!? -- Alan Hannan (402) 472-0241 MIDnet Inc.
Filtering the *announcements* that an ISP will honor, without being able to verify whether or not they are really bogus, does exactly that. If you want some kind of assurance that prefixes being advertised are legit, then you need a routing-registry type-of-service. This service requires that the users and people putting in the data that it crunches trust it implicitly. I am not expressing an opinion here as to whether or not the current efforts in this area fill the requirement lists that people have. I am, however, saying that if you filter without *knowing* that the filters pass all legit prefixes (an impossible task unless you're omniscient) you will break connectivity in many specific cases. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity Modem: [+1 312 248-0900] | (shell, PPP, SLIP, leased) in Chicagoland Voice: [+1 312 248-8649] | 7 POPs online through Chicago, all 28.8 Fax: [+1 312 248-9865] | Email to "info@mcs.net" for more information ISDN: Surf at Smokin' Speed | WWW: http://www.mcs.net, gopher: gopher.mcs.net