Re: AS8584 taking over the internet
Indeed, in a perfect world, a route server would be the solution. But what always beats me in these situations is that the upstreams of ASes where these problems occur don't seem to be prefix filtering. Given the complexity of interdomain routing configs, misconfigurations by less experienced operators are to be expected, and to a certain extent can be forgiven. But it is hard to tolerate the behaviour of (supposedly) clueful upstreams who don't protect themselves and the rest of the Internet by having prefix filters on their downstream customers. It seems that the current state of the IRR and the supporting tools are in general simply too complex for a lot of people to get to grips with ... which includes me - we build ours manually :-( Perhaps the DNS based origin authentication proposal would have more success. We can only hope. Phil At 13:53 08/04/98 -0400, Abha Ahuja wrote:
Or maybe, use a route server!
-abha ;)
On Wed, 8 Apr 1998, philip bridge wrote:
Seems like...
http://www.academ.com/nanog/feb1998/origin.html
...is long overdue.
Phil
At 02:53 PM 4/7/98 -0400, Mr. Dana Hudes wrote:
It is such accidents that reinforce the notion of per-prefix filtering. Of course if one changes one's IRR/RIPE DB/RADB entries to deliberately announce the world there could still be a problem with auto-generated accept policy. The solution to *that* is quality assurance of the database, an ongoing issue in RIPE DB WG at least.
Even then how does one prevent someone coding 'ANY' for their announce policy when they should not? In the old NFSNET days human inspection of IRR entries assured quality but that's not practical anymore at a central registry.
sure, one has accept policy but other than excluding RFC1918 and your own address space and default you have no practical choice but to reference the other guy's aut-num object and the associated routes.
Dana Hudes Graphnet
Bernhard Kroenung wrote:
At the Moment AS4000 / AS8584 is announcing the whole internet :-(
For programming the cuise-missiles or SS20's - here is the data :
aut-num: AS8584 descr: Barak AS as-in: from AS4000 10 accept ANY as-in: from AS5585 100 accept ANY as-out: to AS4000 announce AS8584 as-out: to AS5585 announce AS8584 default: AS4000 10 admin-c: AS261-RIPE tech-c: AS261-RIPE mnt-by: AS8584-MNT changed: ashor@barakitc.co.il 971126 source: RIPE
person: Amir Shor address: Barak I.T.C. address: 15 Ha-Melacaha St. address: Rosh Ha-Ayin 48091, Israel phone: +972 3 9001082 fax-no: +972 3 9001090 e-mail: ashor@barakitc.co.il nic-hdl: AS261-RIPE changed: ashor@barakitc.co.il 971112 source: RIPE
Ciao Bernhard -- Bernhard Kroenung, Bahnhofstr 8, 36157 Ebersburg/Rhoen, Germany +49 6656
910101
@work : bernhard@kroenung.de Work: +49 661 9011777 @home : horke@Rhoen.De @school : Bernhard.Kroenung@Informatik.FH-Fulda.De
______________________________________________________________ Philip Bridge ++41 31 688 8262 bridge@ip-plus.net www.ip-plus.ch PGP: DE78 06B7 ACDB CB56 CE88 6165 A73F B703
__________________________________________________________________________ -------------------------------------------------------------------------- abha ahuja ahuja@merit.edu Merit Network, Inc. 734.764.0294
============================================================== Philip Bridge Swisscom Data/Multimedia Voice: +41 31 688 8262 Private: +41 31 911 1694 Fax: +41 31 688 8151 mail: bridge@ip-plus.net PGP:www-swiss.ai.mit.edu/~bal/pks-commands-beta.html(447485ED) ==============================================================
philip bridge on Wed, 08 Apr 1998 20:08:03 +0100 said:
It seems that the current state of the IRR and the supporting tools are in general simply too complex for a lot of people to get to grips with ... which includes me - we build ours manually :-(
To familarize with the IRR and the supporting tools, Sunday before next two nanogs, there will be a IRR/RPSL/RAToolSet tutorials. We will send an official announcement very soon about it. Cengiz
Cengiz, That is of course laudible. But the point has to be made that AS8584 is in Israel. In an environment when a small ISP in a small country can cause a lot of damage to the global Internet, a way has to be found to efficiently propogate this knowledge far and wide. Phil At 02:10 PM 4/8/98 -0600, Cengiz Alaettinoglu wrote:
philip bridge on Wed, 08 Apr 1998 20:08:03 +0100 said:
It seems that the current state of the IRR and the supporting tools are in general simply too complex for a lot of people to get to grips with ... which includes me - we build ours manually :-(
To familarize with the IRR and the supporting tools, Sunday before next two nanogs, there will be a IRR/RPSL/RAToolSet tutorials. We will send an official announcement very soon about it.
Cengiz
______________________________________________________________ Philip Bridge ++41 31 688 8262 bridge@ip-plus.net www.ip-plus.ch PGP: DE78 06B7 ACDB CB56 CE88 6165 A73F B703
philip bridge on Thu, 09 Apr 1998 08:36:28 +0100 said:
Cengiz,
That is of course laudible. But the point has to be made that AS8584 is in Israel. In an environment when a small ISP in a small country can cause a lot of damage to the global Internet, a way has to be found to efficiently propogate this knowledge far and wide.
There are also plans to repeat the tutorials at the RIPE and Apricot meetings. It is not perfect, but should get the knowledge to many.
Phil
At 02:10 PM 4/8/98 -0600, Cengiz Alaettinoglu wrote:
philip bridge on Wed, 08 Apr 1998 20:08:03 +0100 said:
It seems that the current state of the IRR and the supporting tools are in general simply too complex for a lot of people to get to grips with ... which includes me - we build ours manually :-(
To familarize with the IRR and the supporting tools, Sunday before next two nanogs, there will be a IRR/RPSL/RAToolSet tutorials. We will send an official announcement very soon about it.
Cengiz
______________________________________________________________ Philip Bridge ++41 31 688 8262 bridge@ip-plus.net www.ip-plus.ch PGP: DE78 06B7 ACDB CB56 CE88 6165 A73F B703
philip bridge on Thu, 09 Apr 1998 08:36:28 +0100 said:
That is of course laudible. But the point has to be made that AS8584 is in Israel. In an environment when a small ISP in a small country can cause a lot of damage to the global Internet, a way has to be found to efficiently propogate this knowledge far and wide.
And you think that a large ISP in a large country is somehow immune from human error? I don't think the problem at hand has anything to do with the size of the ISP or the size of the country they might reside in.
rfc/drafts/draft-bates-bgp4-nlri-orig-verif-00.txt
On Thu, 9 Apr 1998, Gary R Wright wrote:
And you think that a large ISP in a large country is somehow immune from human error? I don't think the problem at hand has anything to do with the size of the ISP or the size of the country they might reside in.
His point was that some relatively insignifigant site on the net can ruin things for large portions of the net relatively easily. It sounds sort of like the egress/ingress filtering argument all over again. You shouldn't trust your customers...not because they're malevelant, but just because accidents happen, and if you can contain them, it makes things better for everyone. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | http://noagent.com/?jl1 for cheap Network Administrator | life insurance over the net. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
participants (6)
-
Cengiz Alaettinoglu -
Cengiz Alaettinoglu
-
Gary R Wright -
Jon Lewis -
philip bridge -
Randy Bush