[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on ISP Expectations
actually, BGP authentication *is* used and more than just
a little bit. there is a significant effort under way to make
it much more widespread. this is directly because of what the
bad guys are capable of.
a bigger problem, though, is that there is no
"routing registry" nor can there be any time soon.
what would be much more useful would be for the *address*
registries to electronically publish a mapping from
prefix to inititating AS number (ie, the AS to which
it is assigned and hence must be last in an AS path).
this is actually easy to maintain and i've talked with
DK at RIPE about it. note that the AR does *not*
"maintain" the information beyond the initial assignment,
and even that uses information supplied by the assignee.
as blocks move around or get leased to customers with
their own AS, the onus is on the originator to update
this would make it relatively easy to sanity-check
a route announcement to verify that the injecting
AS is in fact the one who should do it. this will
catch the accidental announcements which blackhole
or hijack traffic, and make intentional acts a bit harder
(but certainly not impossible) to execute.
this doesn't need all the RPSL stuff, which is both
overly complex and tragically inadequate.
the "authorized injecting AS" is simple enough to get done and simple
enough to maintain once running. that means it is simple enough to
have a chance of being effective while avoiding the serious problem of
making the system *more* brittle instead of less. (that's one of of my
major problems with RPSL and "RR" things - if we can't get the
information right once, why do we think having to specify it several
times improves the odds it will be correct? the correctness of
randomly duplicated information degrades as an exponent - the
probabilities multiple, and the numbers always get smaller)