Re: route policy (Re: Public shaming list for ISPs announcing other ISPs IP space by mistake)
My thoughts on the prefix filtering issue would be that we need some kind of system that works along the same principles as DNSSEC and SPF, ie a holder of IP space can publish that they would like everybody to filter in a certain way for announcements for that perticular prefix, and then the other end can do so if they want to.
http://blog.wired.com/27bstroke6/2008/08/experts-accuse.html "The Internet Assigned Numbers Authority -- which coordinates the internet -- has been prototyping a system to sign the root-zone file for the last year, but they can't do the same for the internet's top servers without approval from the Department of Commerce" Sounds like some work that could be recycled (and save being wasted if it's decided to have Verisign do the dnssec instead)
Herein is the value, the RIR (RIPE) is also the holder of the policy. With ARIN, this is not the case, there is RADB and a number of other RR's that are out there for varying reasons, some personal and some business.
Yes, RIPE rock. Please make it all not suck.
I think in this web 2.0 world, everything you're speaking of can be a challenge but not be impossible. The problem I see is there are no good tools.
In 2.0 world someone would make routetubebookparty and sell out to Google for millions, VCs line up here (the owner is as close to owning the internet as anyone)
This can help you audit the routes that are going to be placed in a prefix-list. How do you integrate something like this into your business policy? Have customers submit a web form for their routes? It's easy when your customer is AS267, but what if your customer is something larger like telstra?
probably signed lumps of XML, people can make it however they want
If I can make this backend uglyness called "RADB/irrd" invisible to my customers, will that help?
I presume this would replace all the old stuff brandon
Hi, On Aug 14, 2008, at 6:38 AM, Brandon Butterworth wrote:
http://blog.wired.com/27bstroke6/2008/08/experts-accuse.html
"The Internet Assigned Numbers Authority -- which coordinates the internet -- has been prototyping a system to sign the root-zone file for the last year, but they can't do the same for the internet's top servers without approval from the Department of Commerce"
Sounds like some work that could be recycled (and save being wasted if it's decided to have Verisign do the dnssec instead)
Just to be clear, the stuff at https://ns.iana.org/dnssec/status.html will be used for more than the root, e.g., .ARPA, children of .ARPA, IANA.ORG, etc., regardless of who ends up signing the root. Regards, -drc
On Thu, 14 Aug 2008, Brandon Butterworth wrote:
Herein is the value, the RIR (RIPE) is also the holder of the policy. With ARIN, this is not the case, there is RADB and a number of other RR's that are out there for varying reasons, some personal and some business.
Yes, RIPE rock. Please make it all not suck.
Unfortunately, RIPE DB will allow anyone to add any route objects for prefixes that are not under the RIPE management :-(. For example, anyone could add route objects for most of DNS root server prefixes. For those prefixes that are managed by RIPE, it's good. But the above feature dilutes the trustworthiness of RIPE DB slightly... -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
participants (3)
-
Brandon Butterworth
-
David Conrad
-
Pekka Savola