It is such accidents that reinforce the notion of per-prefix
filtering.
Of course if one changes one's IRR/RIPE DB/RADB entries to
deliberately
announce the world there could still be a problem with
auto-generated
accept policy. The solution to *that* is quality assurance of the
database, an ongoing issue in RIPE DB WG at least.
Even then how does one prevent someone coding 'ANY' for their
announce policy when they should not? In the old NFSNET days
human inspection of IRR entries assured quality but that's not
practical anymore at a central registry.
sure, one has accept policy but other than excluding RFC1918 and
your own address space and default you have no practical choice
but to reference the other guy's aut-num object and the
associated routes.
It is such accidents that reinforce the notion of per-prefix
filtering.
Of course if one changes one's IRR/RIPE DB/RADB entries to
deliberately
announce the world there could still be a problem with
auto-generated
accept policy. The solution to *that* is quality assurance of the
database, an ongoing issue in RIPE DB WG at least.
Even then how does one prevent someone coding 'ANY' for their
announce policy when they should not? In the old NFSNET days
human inspection of IRR entries assured quality but that's not
practical anymore at a central registry.
sure, one has accept policy but other than excluding RFC1918 and
your own address space and default you have no practical choice
but to reference the other guy's aut-num object and the
associated routes.
Dana Hudes
Graphnet
Bernhard Kroenung wrote:
At the Moment AS4000 / AS8584 is announcing the whole internet
For programming the cuise-missiles or SS20's - here is the data :
aut-num: AS8584
descr: Barak AS
as-in: from AS4000 10 accept ANY
as-in: from AS5585 100 accept ANY
as-out: to AS4000 announce AS8584
as-out: to AS5585 announce AS8584
default: AS4000 10
admin-c: AS261-RIPE
tech-c: AS261-RIPE
mnt-by: AS8584-MNT
changed: ashor@barakitc.co.il 971126
source: RIPE
Indeed, in a perfect world, a route server would be the solution.
But what always beats me in these situations is that the upstreams of ASes where these problems occur don't seem to be prefix filtering. Given the complexity of interdomain routing configs, misconfigurations by less experienced operators are to be expected, and to a certain extent can be forgiven. But it is hard to tolerate the behaviour of (supposedly) clueful upstreams who don't protect themselves and the rest of the Internet by having prefix filters on their downstream customers.
It seems that the current state of the IRR and the supporting tools are in general simply too complex for a lot of people to get to grips with ... which includes me - we build ours manually
Perhaps the DNS based origin authentication proposal would have more success. We can only hope.
