nanog mailing list archives

Re: Yahoo outage summary

From: Jared Mauch <jared () puck nether net>
Date: Mon, 9 Jul 2007 17:15:30 -0400


On Mon, Jul 09, 2007 at 04:50:56PM -0400, Joe Abley wrote:



 On 9-Jul-2007, at 16:13, Jared Mauch wrote:

    Some have automated systems, but they're dependent on IRR data
being correct.  There are even tools to automate population of IRR data.


 Building customer filters from the IRR seems like it should fall in the 
 "easy" bucket, given how long people have been doing it, and for how long. 
 It's the lack of a way to trust the data that's published in the IRR that 
 always seems to be the stumbling block.


-- snip --

 So, if you consider some future world where there are suitably 
 machine-readable repositories of number resources (e.g. IRRs) are combined 
 with machine-verifiable certificates affirming a customer's right to use 
 them, how far out of the woods are we? Or are we going to find out that the 
 real problem is some fundamental unwillingness to automate this stuff, or 
 something else?


        It's that some folks feel entitled to announce routes without
registering them.  Take ANS vs Sprintlink as the classic example.  Not
much has changed since then.  Nor have the tools evolved significantly.

        Some vendors still don't get router configuration from tools yet.
Try to automate something and it's not easy or impossible.  Even the
best solutions on the market have some problems when you feed it a 8+Meg
config.  It takes a lot of cpu time to process that much.

        There really need to be some (ick, ignore that I suggested this)
Web 2.0 IRR tools.  Something that can smartly populate an IRR or
IRR-like dataset.  Something that can be taught to 'learn' what is
reasonable.  I've seen some cool things that show promise (eg: pretty
good bgp), but there's always some interesting drawback.

        Plus, as Patrick said earlier, (and i generally agree), these
types of "attacks" are rare and usually short lived.  Even those
like the panix situation didn't last very long.  Perhaps it's not as
important to think about now.


        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

Re: Yahoo outage summary, (continued)
- - - Re: Yahoo outage summary Roland Dobbins (Jul 08)
    - Re: Yahoo outage summary Tony Tauber (Jul 09)
    - Re: Yahoo outage summary Randy Bush (Jul 09)
    - Re: Yahoo outage summary Sean Donelan (Jul 09)
    - Re: Yahoo outage summary Douglas Otis (Jul 09)
  - Re: Yahoo outage summary Sean Donelan (Jul 08)
    - Re: Yahoo outage summary Steven M. Bellovin (Jul 08)
    - Re: Yahoo outage summary Sean Donelan (Jul 08)
- Re: Yahoo outage summary Jared Mauch (Jul 09)
  - Re: Yahoo outage summary Joe Abley (Jul 09)
    - Re: Yahoo outage summary Jared Mauch (Jul 09)
    - Re: Yahoo outage summary Tony Tauber (Jul 09)