nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing the BGP or controlling it?

From: Nick Hilliard <nick () foobar org>
Date: Mon, 10 May 2010 17:48:43 +0100
On 10/05/2010 17:00, Aaron Glenn wrote:

my gut says things would do well to begin with simply making an effort
at maintaining usable irr data and automagically generating sane
filters. why don't people do that again? I hope I'm not naively
misunderstanding a primary use of irr data in front of 10,000 of my
closest friends...


There are a lot of problems associated with using IRRDB filters for inbound
prefix filtering.

- some clients announce lots of prefixes.  This can make inbound prefix
filtering difficult in some situations.

pixiedust:/home/nick> grep '>' pakistani-telecom.bgpdump.txt | wc -l
     967

- there are some endemic data reliability problems with the IRRDBs,
exacerbated by the fact that on most of the widely-used IRRDBs, there is no
link between the RIR and the IRRDB, which means that anyone can register
any address space.  whois.ripe.net doesn't allow this, but lots of other
IRRDBs do.

- the ripe whois server software does not support server-side as-set
expansion.  This is a really serious problem if you're expanding large ASNs.

- there is very little client software.  At least irrtoolset compiles these
days, but its front-end is very primitive.  rpsltool provides some really
nice templating functionality, but doesn't implement large sections of the
rpsl standards.

Nick
Previous By Date Next
Previous By Thread Next

Current thread: