nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Defeating DoS Attacks Through Accountability

From: Sean Donelan <sean () donelan com>
Date: 12 Nov 2000 17:38:18 -0800

On Sun, 12 November 2000, Daniel Senie wrote:

I'm not sure you're being clear. If someone has portable /24 or /16, and
does NOT do their own BGP, but contracts with ONE ISP to do that
advertisement. How do other ISPs know that ISP has permission? We could
point to the RADB, but it's chock full of bogus data. We could point to
ARIN, but their database just says the owner of the net in question is
whomever it is. Those who own that space have a legitimate right to use
that space, so telling them to get ISP-provided space is a non-starter.

I agree it's a problem in need of a proper solution. The solution has to
account for portable address space not owned by providers.


There are several steps involved.  I am talking about the very first
step. 

If someone has portable /24 or /16 space, there is a coordinator of
record listed in ARIN's, RIPE's or APNIC's database.  The first ISP
to inject the address into BGP must have proper authorization from
the coordinator of record.  If we start out with garbage, the rest is
irrelevant.  We need to get the starting point fixed.

The argument "they are paying us, so we do whatever they tell us" is
bogus.

After we have a good starting point, what do we do about the transitive
validation, i.e. how do you know the entire AS path is valid?

It should come as no surprise, I think ARIN is messed up.  In addition
to the coordinator of record and list of in-addr.arpa name servers, I
think it should include a routing delegation.  Either listing the ASN's
directly with the delegation, such as RIPE, or providing a pointer to
a third-party routing database of record for the IP address block.

But the transitive steps are garbage if the starting point is garbage.
As we've seen with the RADB, when anyone can put junk into the database,
it gets full of junk.  Sean Doran's 0/0 routes are the perfect example.

If a complete answer is "hard," can we at least work on getting the
first step correct?
Previous By Date Next
Previous By Thread Next

Current thread: