nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Public shaming list for ISPs announcing other ISPs IP space by mistake

From: Jared Mauch <jared () puck nether net>
Date: Thu, 14 Aug 2008 15:09:18 -0400
On Thu, Aug 14, 2008 at 11:32:28AM -0700, brett watson wrote:

On Aug 14, 2008, at 11:21 AM, David Freedman wrote:




but, why wouldn't something like formally requiring
customers/peers/transits/etc to have radb objects as a 'requirement'
for peering/customer bgp services



Step 1 : Enforce IRR for customers *now*.


Right, but I think the bigger issue is not just that "data is in the  
IRR" but rather "the data is there, and "some organization" has  
validated that 1) the "owner" is authentic, 2) they own the prefixes  
they entered, 3) they are authorized to originate the prefixes, and 4)  
the policies they entered are valid and agreed to by the other parties."

We have to be able to *trust* the data in the IRR, which I assume is one 
of the biggest impediments to being used by everyone: who's going to 
validate all that data and how will they do it?


        You're missing a step:

        janitor.

        No really, the reason for some leaks isn't because so-and-so was 
never a customer, they were.  5 years ago.  nobody removed the routes from 
the IRR or AS-SET or <insert method here> and now the route is learned via
some other location and it's bypassed your perimiter security and
infiltrated your BGP.

        There's many simple things that makes it seem like it's
an impossible task, but there's a saying, if you're not progressing
you're regressing.  If the toolset is too complex or doesn't work,
what are YOU doing to make it better for you and/or your customers?

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
Previous By Date Next
Previous By Thread Next

Current thread: