Re: route ingress

["Justin W. Newton" <justin () priori net>]

At 04:13 PM 12/30/97 -0800, Vadim Antonov wrote:
> > filters are your friend.  filters are your friends' friend.
>
> Yes, but centralized database is not the answer.  For one, it
> is liable to be screwed up completely from time to time (that much,
> InterNIC experience shows us).  It is expensive to maintain; and
> the problem of accuracy of the information within is quite acute.
> The political implications of a cenrtalized agency are even worse;
> i do not think we want a replay of the domain name debate.
>
> The only real solution is strong cryptographical authentication of
> the ownership of routing prefixes.   For some reason i do not see
> any serious work in that direction being done.
>
> For now, it may be a good idea for tier-1 providers to adhere to a
> procedure similar to that used (or used to be used) by Sprint: no
> customer routing information is accepted before customer's border
> box configuration passed inspection by Sprint staff.  No-nos included
> unfiltered redistribution of IGP into BGP and lack of anti-transit AS-path
> filters.

Vadim,
        Your policy above is unwise from the perspective that it seems to believe
that configuration errors are a one time problem.  A more reasonable policy
is to help your customers learn how to setup filters properly, and then
filter heavily on /your/ router to make certain hat no matter what they do
they can't effect either your internal, or external routing.



**************************************************************
Justin W. Newton                        voice: +1-650-482-2840  
Senior Network Architect                  fax: +1-650-482-2844
PRIORI NETWORKS, INC.                    http://www.priori.net
Legislative and Policy Director, ISP/C   http://www.ispc.org
"The People You Know.  The People You Trust."
**************************************************************