Sean,
FASTNET filters on prefix and mask, AS and "authority", that being a
combination of the whois database and the radb. If the customer wants
to announce a new prefix, they must first have the radb matching the
announcement and the IP allocation has to be assigned to them by a
verifiable means, such as the NIC/ARIN. I we originate the route, we
will ensure that the databases are up to date.
All new BGP peers are also password authenticated, and we are converting
current peers to that as well. Global tables from our peering and
customer DS3 connections are passed through a ACL that checks for
illegal routes, host routes and reserved numbers.
We had an instance where a customer of ours notice that someone else was
announcing a more specific from their /18. It wasn't easy nor fun to
make this stop. It required many panic calls and a lot of aggravation.
It's just too easy to do, both intentionally and by mistake. And then
there is the potential of BGP DoS attacks to further complicate things.
Maybe each BGP update for a route might pass some sort of identity flag
in the pre-amble that provides a trace of how the route arrived, and
perhaps something like the serial number of the originating router. Then
someone more cleaver than I can come up with a way to use that extra
information to more quickly trace and disable bad or invalid
announcements, or use that information in some fashion to authenticate
the Good Guy from the Bad Guy.
It ain't the ol' Internet no more.
Best regards,
David Van Allen - FASTNET(tm) / You Tools Corporation
dave@fast.net (888)321-FAST(3278) http://www.fast.net
FASTNET - Business and Personal Internet Solutions
When some random person decides to announce a subnet, what do providers
accept as proof the person has authority to announce that subnet to the
global Internet? Or the other side, when some random person calls up
complaining that someone else is announcing a subnet without
authorization
what do providers accept as proof that the announcement is invalid?
For example, lets say a difficult to reach ISP on the other side of the
planet decided to announce a subnet DRA had assigned for use by one of
our
customers. Would major providers take my word a Hong Kong provider was
wrong? Would major providers accept the registration information in
WHOIS
and/or IRR the network block had been delegated to me, and to no one
else.
Would major providers accept a statement from the APNIC that the HK ISP
had never been delegated any part of the network block? What do you do
when a major provider's front-line customer service personnel don't
understand the problem, but says since the other person is a customer
they have to believe them? Of course, the major provider can't get a
hold of the customer either.Do providers normally just let customers announce any network, and only
review things after receiving complaints. If so, how do such providers
expect people to complain when one of their customers is causing
problems.
How many days, weeks, months is considered normal to reach a competent
person at a major ISP that has the authority to block such a bogus
announcement by one of their customers? Since some (one) major
provider
has a policy of not giving trouble ticket numbers when a non-customer
calls, how much ruckus must be caused to get their management's
attention?
This can cause partial network outages lasting weeks in some cases. I
hate the idea of needing to resort to things like filing formal
criminal
complaints because of the dumb management policy at a major provider,
but
it has been required in some other industries these providers operate
in. Slamming is a prohibited practice for long distance carriers, and
the customer can more or less easily get their phone number switched
back
to their original provider. How does a customer do the same thing when
their IP network block gets slammed by another provider, or a customer
of another provider?There seem to be major problems with several of the widely referred to
network registration databases. I see Telstra (AS1221) is once again,
Dec 29, 1997, announcing 3.156.20.0/24. While its possible that
General
Electric has an office in Australia, it seems an odd announcement.
Other
than Sprint's global default for 0/1 (and then SPRINT has the nerve to
complain when people point default at them) there is no information in
the IRR about valid origin ASNs for Net 3/8. Although Mr. Bono spoke
up about some of GE's activities, other than James C. Shearer, who
would
have authority over subnets from network 3/8? And what to do when the
listed contact has left, or worse is a generic position name (e.g.
hostmaster@ or noc@).Even going by company names isn't enough, because some companies have
very similar names, are merged, unmerged, sliced and diced. For
example,
the various companies have "Data Research" in their name, but have
nothing to do with DRA. Nor is the DRA in the UK isn't affliated with
the DRA in the USA.Network blocks delegated to non-ISPs were fairly easy, because it is
uncommon to see subdelegations. But if you look at net 12/8 (AT&T),
customer subnets are appearing in announcements from other providers.
How do you decide when network blocks can be delegated, or not? In
net 12/8 case, the WHOIS database lists some delegations, but the IRR
shows different ones.But with CIDR it is even complicated figuring out what type of
delegation
was done for subnets. Take the case of 205.164.62.0 which is from a
network block delegated to MCS. The history of this block is a bit
odd.
It appears the block 205.164.0.0/16 was first delegated on March 15,
1995
to NET99. On March 29, 1995 205.164.0.0/18 was delegated to MCS. At
some point later the delegation for 205.164.0.0/16 was deleted, and
AGIS