Re: So -- what did happen to Panix?
Todd Underwood wrote:
you're probably right (as usual). but it seems that if you delay acceptance of announcements with novel origination patterns, you don't harm very many legitimate uses. in particular, ASes changing upstreams won't be harmed at all. people moving their prefix to a new ISP will have a fixed delay in getting their announcement propagated, sure. but they already have this delay now.
they tell the new ISP: 'announce my prefix' and the new ISP says 'prove it's yours'. they do that for a couple of emails. then the new ISP asks it's upstreams to accept that announcement. that takes a little while (ranging from 4 to 72 hours in my recent experience).
This is great for the planned changes, but real-time changes to respond to Internet dynamics won't work well with such delays. If you are multi-homed to provide a backup, you would like for it to respond more quickly than 4-72 hours, I'll bet. So if you have PI space but not your own AS, your backup route would look like a novel origination, but you sure wouldn't want it delayed. How common are such cases? Should the solutions cover them also? Should there be special procedures to deal with special cases? Etc. --Sandy
This is great for the planned changes, but real-time changes to respond to Internet dynamics won't work well with such delays. If you are multi-homed to provide a backup, you would like for it to respond more quickly than 4-72 hours, I'll bet. So if you have PI space but not your own AS, your backup route would look like a novel origination, but you sure wouldn't want it delayed.
no. the scheme that josh karlin has been advocating in pretty good bgp involved only supressing a doubtful announcement when you have a better, more trusted announcement. it remains to be seen how hard this would be to implement in existing systems of "build filters in configs and push to routers". this only works obviously well in systems that centralize route selection and use routers only as forwarding engines. that might be a cool idea, but it's not what we have now. if you don't use the pgbgp scheme, you can still get the benefits of being no worse than what we have now. consider this just a different, more automatic, more scalable, more secure way of building and maintaing the prefix filter that we all are supposed to maintaining already. i'll be happy to talk to interested parties at nanog in dallas about this (or almost anything else, expecially if you're buying). t. -- _____________________________________________________________________ todd underwood chief of operations & security renesys - internet intelligence todd@renesys.com www.renesys.com
participants (2)
-
sandy@tislabs.com
-
Todd Underwood