Re: Has PSI been assigned network 1?

["Karl Denninger, MCSNet" <karl () mcs com>]

> > Filtering only serves to violate the premise of BGP4 and routing in general -
> > that the metrics and route weights will guide a packet to the most expeditious
> > path.  When you remove some of those choices, you second-guess the physical 
> > realities of the time.
>
> Filtering does not violate any premise in BGP4.  BGP4 was
> designed to allow the assignment of administrative weights.
> That is to say, POLICY.  And I happen to believe not accepting a
> route for 204.68.252/24 from someone who is not authorized to
> route the associated ASes is a good policy.  If someone
> announced a route to NET99 that was not authorized then ANS
> would ignore that route, and you would still have connectivity
> through us.  Only the customers of the ISP who misconfigured his
> equipment, and anyone uniformed enough to accept routes from
> him, would lose out.

Ok, Larry, let me ask the $10,000 question:

        If I announce 204.137.64/20 to you, how do you know if I am
        authorized to do so or not?

The answer is, absent something LIKE a NACR (ie: RR, RA, etc) you don't.

So now, if you *don't know*, do you take it or don't you?

I'm not arguing against NACRs and RAs.  In fact, just the opposite.  If
you're going to filter, and I understand that it can serve a purpose, then 
you *MUST* trust some authoritative source, and that source must have the
information to make the decision.

Saying "I'll accept anything from the netblocks I gave this ISP, and nothing
more" is baloney.  A transit provider has NO IDEA what routes you, as an ISP,
are authorized to route or who your customers are.  My business arrangements
and their details are none of anyone else's business, just like I have no
business knowing what kind of deal ANS cut with some other provider.  Yet if
ANS announces to me a prefix at some public peering point, there should be
some way for me to determine if it is or is not a legit announcement.

All that transit provider needs to know is what you register as announcable
via your AS, and that the delegate(s) of those address prefixes agree that
you can reach them.  That's a function that both NACRs and RAs serve.

Filtering *without* that information is time-consuming and serves to break 
connectivity.

Vadim has argued *vehemently* against trusting any neutral, exterior source 
of this information, like a route server.

> But the resulting connectivity is, IMHO, more robust than, to
> borrow a metaphor, having promiscuous sessions with all your
> peers and praying you don't get the 'black hole',
>
> Larry Plato
> ANS Network Operations

You and I aren't disagreeing here. 

What I disagree with is filtering *without* using something that serves as a
table of authorities on who can reach what.

--
--
Karl Denninger (karl () MCS Net)| MCSNet - The Finest Internet Connectivity
Modem: [+1 312 248-0900]     | (shell, PPP, SLIP, leased) in Chicagoland
Voice: [+1 312 248-8649]     | 7 POPs online through Chicago, all 28.8
Fax: [+1 312 248-9865]       | Email to "info () mcs net" for more information
ISDN: Surf at Smokin' Speed  | WWW: http://www.mcs.net, gopher: gopher.mcs.net