nanog mailing list archives
Re: So -- what did happen to Panix?
From: bmanning () vacation karoshi com
Date: Fri, 27 Jan 2006 16:12:05 +0000
On Fri, Jan 27, 2006 at 10:42:11AM -0500, Joe Abley wrote:
On 27-Jan-2006, at 07:51, bmanning () vacation karoshi com wrote:perhaps you mean certified validation of prefix origin and path.In the absense of path valdiation, a method of determining the real origin of a prefix is also required, if the goal is to prevent intentional hijacking as well as unintentional origination. Simply looking at the right-most entry in the AS_PATH doesn't cut it, since anybody can "set as-path prepend P".
but by definition, the right-most entry is the prefix origin... the question becomes, is that the origin the prefix expects? to use an historical example: 198.32.6.0/24 thinks that AS 4555 is the correct origin AS 4555 thinks that it should (and does) originate prefix 198.32.6.0/24 AS 4555 uses AS 226 and 701 as transit providers. AS 1239 wants to be helpful and tells its peers that it is the proper origin for prefix 198.32.0.0/16 -BUT- never tells AS 4555 about this and has no direct means to deliver packets to AS 4555. Or... we see 128.9.160.0/24 as originating from multiple ASNs. there is no requirement for single AS origin - is that "theft" or an engineering tradeoff?
This suggests to me that either we can't separate origin validation from path validation (which sucks the former into the more difficult problems associated with the latter), or we need a better measure of "origin" (e.g. a PKI and an attribute which carries a signature).
i was just interested in the problem of assertion of origination. it needs to be done w/o a centralized repositiory (imho) because that method has scalability problems. such a technique does open new chances to "confuse" ... e.g. what happens when the prefix is seen from the same apparent AS but w/ two or more different signatures? path validation is (again imho) a severable problem the prefix/as origin.
Joe
Current thread:
- Re: So -- what did happen to Panix?, (continued)
- Re: So -- what did happen to Panix? Jared Mauch (Jan 26)
- Re: So -- what did happen to Panix? Josh Karlin (Jan 26)
- Re: So -- what did happen to Panix? Jared Mauch (Jan 26)
- Re: So -- what did happen to Panix? Josh Karlin (Jan 26)
- Re: So -- what did happen to Panix? Randy Bush (Jan 26)
- Re: So -- what did happen to Panix? Jared Mauch (Jan 26)
- Re: So -- what did happen to Panix? william(at)elan.net (Jan 27)
- Re: So -- what did happen to Panix? Randy Bush (Jan 27)
- Re: So -- what did happen to Panix? bmanning (Jan 27)
- Re: So -- what did happen to Panix? Joe Abley (Jan 27)
- Re: So -- what did happen to Panix? bmanning (Jan 27)
- Re: So -- what did happen to Panix? Joe Abley (Jan 27)
- Re: So -- what did happen to Panix? Patrick W. Gilmore (Jan 27)
- Re: So -- what did happen to Panix? bmanning (Jan 27)
- Re: So -- what did happen to Panix? Jared Mauch (Jan 26)
- Re: So -- what did happen to Panix? Michael . Dillon (Jan 27)
- Re: So -- what did happen to Panix? Josh Karlin (Jan 27)
- Re: So -- what did happen to Panix? Stephen Sprunk (Jan 27)
- Re: So -- what did happen to Panix? Michael . Dillon (Jan 30)
- Re: So -- what did happen to Panix? Richard A Steenbergen (Jan 30)
- MPLS vs PTP Andrew Staples (Jan 30)
- Re: MPLS vs PTP Jon Lewis (Jan 30)