nanog mailing list archives

Re: Deciding whose network block is whose?


From: "Sean M. Doran" <smd () clock org>
Date: 06 Jan 1998 11:13:47 -0800

Geoff Huston <gih () telstra net> writes:

I am looking to the regional registeries to take some level of initiative 
and provide clients of their address allocation service the ability to 
sign the allocation and then the client can sign the routing request to the
provider which the provider can verify against the regional registry.
We went through this in discussion in the room at the time and it
looked like a viable and useful approach.

Yes, but this is only part of the problem.

I mean, fantastic idea, but then it's not exactly
transitive.  How do I know I can trust that Telstra's
announcements have been authorized by the people
responsible for the prefixes in question?  Worse, since I
do not talk directly with Telstra, how do I know I can
trust the intermediary networks not to have performed (or
fallen victim to) AS path surgery?

Moreover, other than prefix-length filtering, what can I
do to prevent falling victim to subnet-announcement
attacks?  Note that a larger CIDR block can still fall
victim to announcements of /19s in networks which use The
Satanic Filters.

Perhaps you have some idea other than mine (prayer) for
scalably solving these and similar issues?

        Sean.


Current thread: