Re: Who uses RADB? [was BGP to doom us all]
as you say for customers only. Inter-provider we have basic bogon checking plus maximum prefix. Its too unwieldy to build when you have peers exchanging thousands of routes... theres a belief that the peer should be behaving responsibly tho and this is a condition of most bilateral peering contracts.
Unfortunately, contracts don't fix mis-(or malicious-) configurations on compromised routers or from a peers disgruntled worker.
Going back to the original topic on this thread I would expect a deliberate attack on BGP routing to come from a customer not a provider such as Level3, if they are filtering in turn to their customers we have a reasonable amount of sanity checking going on
A large provider I worked for in the past had a router maliciously configured to inject a more-specific prefix for a very "popular network". Even the "popular networks" provider sent the traffic to us. Had explicit prefix-based inter- provider filtering been in place it would not have occurred, or at least "the whole Internet" wouldn't have been affected. With the IRRs and inter-provider filtering it's the whole chicken and egg thing. Inter-provider filters aren't in place because no one cares about IRRs (even though they have other operational value as well). Vendors don't support the amount of prefix filters required because they say no one uses them. Heck, lots of folks still don't ingress filter routes (or packets) from their customers. When ANS used to employ inter-provider filters the biggest problem was getting them updated and bouncing routes or sessions. That's no excuse anymore because pretty much everyone supports the ability to incrementally update filters, and BGP Route Refresh fixes the bounce the session/route thing. So, let's recap why no one uses them (as many have said already in the related thread): Laziness. The same laziness that results in the slew of other things many folks have pointed out not being addressed. -danny
So, let's recap why no one uses them (as many have said already in the related thread): Laziness. The same laziness that results in the slew of other
things
many folks have pointed out not being addressed.
-danny
You forgot the other one - expense. AFAIK all of the registries have fees or require you to be a customer. If there is no operational value for me why would I want to spend the money? I realize most of you work for companies that consider a million dollars chump change but that is not the case everywhere. If you can give me a convincing reason to register my routes in a RADB I will - but at this point I have yet to see it. What does a RADB tell you about a non-transit network that you can't see from BGP and WHOIS? There is no more security in RADB than there is in our current method of notifying our peers of the netblocks we are announcing. Mark Radabaugh Amplex (419) 720-3635
On Sat, 1 Mar 2003, Mark Radabaugh wrote:
So, let's recap why no one uses them (as many have said already in the related thread): Laziness. The same laziness that results in the slew of other things many folks have pointed out not being addressed.
-danny
You forgot the other one - expense. AFAIK all of the registries have fees or require you to be a customer. If there is no operational value for me why would I want to spend the money? I realize most of you work for
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
companies that consider a million dollars chump change but that is not the case everywhere. If you can give me a convincing reason to register my routes in a RADB I will - but at this point I have yet to see it.
You've been reading this thread right? Those were the reasons and they were pretty good, if you dont you may get filtered eventually or have your routes hijacked.
What does a RADB tell you about a non-transit network that you can't see
It tells you who it belongs to, where it should be coming from, possibly contact details.
from BGP and WHOIS? There is no more security in RADB than there is in our current method of notifying our peers of the netblocks we are announcing.
Well you cant arbitrarily register routes to them, you have to be a member, and have to match the authorisation criteria. I use RIPE and you have to be authorised on both the ASN and the INETNUM objects to register the route for it. Steve
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
Correct. We pay for lots and lots of things - and there are about 30 other things I need NOW that cost $500.
You've been reading this thread right? Those were the reasons and they were pretty good, if you dont you may get filtered eventually or have your routes hijacked.
Eventually is not now - and given that you have a horrendous chicken and egg problem I don't see it happening anytime in even the remote future. I'll grant you that it would be nice to have it so that my routes can't be hijacked - but we are back to the same chicken and egg problem. I'm contributing to one end of it - but I'm not the hard one to convince here. It's the many thousands of others who don't read NANOG.
Well you cant arbitrarily register routes to them, you have to be a member, and have to match the authorisation criteria. I use RIPE and you have to be authorised on both the ASN and the INETNUM objects to register the route for it.
True enough. And to get my BGP peers to accept my routes I have to do the exact same thing by communicating with them - not just changing entries in the RADB. If I want to launch a malicious attack both methods leave trails - but I'm willing to bet that it's a lot more likely that a person reviewing my request at a BGP peer will catch me before an automated system. Even if you compromise my routers it still doesn't allow you to announce anything interesting from me - you still have to convince my upstream providers to accept the announcements based on the current system of manually entered prefixes. We have had our routes registered in RADB in the past but despite the theory that it is laziness we dropped it due to expense and lack of relevence. I'll probably register our routes again but until RADB becomes a requirement of the RIR's or someone with authority I rather suspect this is a dead end.
Steve
Mark
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
Because it provides me *no* service what so ever.
What does a RADB tell you about a non-transit network that you can't see
It tells you who it belongs to, where it should be coming from, possibly contact details.
Presuming that it is correct, which it is NOT in a large percentage of cases. So again, why am I paying to someone to provide me incorrect information? Alex
On Saturday, Mar 1, 2003, at 11:28 America/Vancouver, alex@yuriev.com wrote:
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
Because it provides me *no* service what so ever.
Then don't use it. Surely this is not rocket science.
What does a RADB tell you about a non-transit network that you can't see
It tells you who it belongs to, where it should be coming from, possibly contact details.
Presuming that it is correct, which it is NOT in a large percentage of cases. So again, why am I paying to someone to provide me incorrect information?
You're not. You're paying to provide other people with information about you. Retrieving other peoples' incorrect information is free. Joe
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
Because it provides me *no* service what so ever.
Then don't use it. Surely this is not rocket science.
If it provides no service to me and the guy next block and another little ISP that is announcing some prefixes and a few large ISPs that announce quite a few prefixes you wont get the data that you need. I am sure you get the idea. Alex
On Sunday, Mar 2, 2003, at 14:06 America/Vancouver, alex@yuriev.com wrote:
It doesnt cost a million dollars to have access to a RR, its somewhat less! You pay for your domains you pay for your IPs you pay for your ASN you pay for your SSL, so why be shocked you pay a little for this too? And if everyone filters your prefixes that will be operational value enough to join!
Because it provides me *no* service what so ever.
Then don't use it. Surely this is not rocket science.
If it provides no service to me and the guy next block and another little ISP that is announcing some prefixes and a few large ISPs that announce quite a few prefixes you wont get the data that you need. I am sure you get the idea.
Some people seem to have the idea that RADB-like services are only useful if every operator uses them, and every operator publishes accurate information. In my experience, that is not the case. The most common usefulness I have experienced out of the IRR is as an automated mechanism for publishing policy to adjoining ASes. Examples are BGP-speaking customers instructing their providers on how to filter their advertisements, and ASes filtering advertisements from their peers (which does happen, even if it's not common in the US). Whether or not non-adjoining ASes use the IRR at all, or use it well, is not relevant to this application. Generating route filters from the IRR via a small lump of script has the potential to be cheaper, quicker, more efficient and less customer-enraging than the common alternative approach of opening six different tickets with the NOC and sacrificing small animals for three weeks until the updates are made. Joe
--- Joe Abley <jabley@isc.org> wrote:
Generating route filters from the IRR via a small lump of script has the potential to be cheaper, quicker, more efficient and less customer-enraging than the common alternative approach of opening six different tickets with the NOC and sacrificing small animals for three weeks until the updates are made.
When I was at $LARGE_PROVIDER, I was working on a project to port all of the customer IP information over to route-objects for precicely this purpose: the goal was that customers would be able to update their filters automatically (and get rWHOIS for free - simplifying additional ARIN allocation requests). Sadly for that project, after I left, the little Ultra 5 was abandoned, and AFAIK is still sitting in my old lab, unused - and after the most recent (quarterly) staff-bloodletting, there certainly won't be resources to devote to a project like that. Sigh. ===== David Barak -fully RFC 1925 compliant- __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Very subtle, David. As it happens, somebody asked only last week if they could take up the project again. For those who think mapping filters to route objects is nigh trivial, there is a significant difference between network assignees and routes. Tracking assignments, ASNs, customer routing policy, and which edge router each connects to requires two scoops of Perl. I should also point out that three out of four RIRs run a route registry. http://www.arin.net/tools/rr.html Lee On Sun, 2 Mar 2003, David Barak wrote:
Date: Sun, 2 Mar 2003 19:54:26 -0800 (PST) From: David Barak <thegameiam@yahoo.com> To: Joe Abley <jabley@isc.org>, nanog@merit.edu Subject: Re: Who uses RADB? [was BGP to doom us all]
--- Joe Abley <jabley@isc.org> wrote:
Generating route filters from the IRR via a small lump of script has the potential to be cheaper, quicker, more efficient and less customer-enraging than the common alternative approach of opening six different tickets with the NOC and sacrificing small animals for three weeks until the updates are made.
When I was at $LARGE_PROVIDER, I was working on a project to port all of the customer IP information over to route-objects for precicely this purpose: the goal was that customers would be able to update their filters automatically (and get rWHOIS for free - simplifying additional ARIN allocation requests).
Sadly for that project, after I left, the little Ultra 5 was abandoned, and AFAIK is still sitting in my old lab, unused - and after the most recent (quarterly) staff-bloodletting, there certainly won't be resources to devote to a project like that. Sigh.
===== David Barak -fully RFC 1925 compliant-
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
I'm thrilled to hear that that project is being picked up again. The long-term benefits (IMO) are worth the non-trivial amount of effort required to make a functioning solution. --- lhoward@UU.NET wrote:
Very subtle, David. As it happens, somebody asked only last week if they could take up the project again. For those who think mapping filters to route objects is nigh trivial, there is a significant difference between network assignees and routes. Tracking assignments, ASNs, customer routing policy, and which edge router each connects to requires two scoops of Perl.
I should also point out that three out of four RIRs run a route registry. http://www.arin.net/tools/rr.html
Lee
===== David Barak -fully RFC 1925 compliant- __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
On Mon, 3 Mar 2003 lhoward@UU.NET wrote:
Very subtle, David. As it happens, somebody asked only last week if they could take up the project again. For those who think mapping filters to route objects is nigh trivial, there is a significant difference between network assignees and routes. Tracking assignments, ASNs, customer routing policy, and which edge router each connects to requires two scoops of Perl.
Its not trivial, but there are several proof's of existance out there. I think Worldcom even owned the code for at least two working implementations at one time or another :-) Essentially a route registry is a way to tell everyone "only listen to this route/prefix from me." But if every ISP runs their own route registry, you end up with the same problem with an additional level of indirection. C&W's route registry says their route, Level 3's route registry says their route, Verio's route registry says their route. Etc with Merit, ARIN, RIPE. However, it is a step forward to get the informaton in a common format which can be shared/munged/checked/etc. The route vectors in BGP are very information limited. RPSL/rWHOIS has the opportunity to provide more context.
On Sat, Mar 01, 2003 at 11:31:30AM -0500, Mark Radabaugh wrote:
So, let's recap why no one uses them (as many have said already in the related thread): Laziness. The same laziness that results in the slew of other things many folks have pointed out not being addressed.
-danny
You forgot the other one - expense. AFAIK all of the registries have fees or require you to be a customer. If there is no operational value for me why would I want to spend the money? I realize most of you work for
ALTDB? www.altdb.net even verio mirrors altdb so customers can use them instead of the verio registry if you want. http://info.us.bb.verio.net/routing.html#VRR -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Mark Radabaugh <mark@amplex.net> writes: [...]
You forgot the other one - expense. AFAIK all of the registries have fees or require you to be a customer. If there is no operational value for me why would I want to spend the money? I realize most of you work for companies that consider a million dollars chump change but that is not the case everywhere. If you can give me a convincing reason to register my routes in a RADB I will - but at this point I have yet to see it.
FYI, the RIPE Database implements RPSL and is free to use. http://www.ripe.net/ripencc/pub-services/db/index.html Regards, -- leo vegoda RIPE NCC Registration Services
You forgot the other one - expense. AFAIK all of the registries have fees or require you to be a customer. If there is no operational value for me why would I want to spend the money? I realize most of you work for companies that consider a million dollars chump change but that is not the case everywhere. If you can give me a convincing reason to register my routes in a RADB I will - but at this point I have yet to see it.
There is at least one free best-effort IRR. Also, as you point out, there are several IRRs which permit customers to register for free. RIPE permits (even encourages, I believe) its members to register in its db. ARIN may do the same, as I see they have a db.
participants (11)
-
alex@yuriev.com -
bdragon@gweep.net -
Danny McPherson -
David Barak -
Jared Mauch -
Joe Abley -
leo vegoda -
lhoward@UU.NET -
Mark Radabaugh -
Sean Donelan -
Stephen J. Wilcox