Todd Underwood wrote:
you're probably right (as usual). but it seems that if you delay
acceptance of announcements with novel origination patterns, you don't
harm very many legitimate uses. in particular, ASes changing
upstreams won't be harmed at all. people moving their prefix to a new
ISP will have a fixed delay in getting their announcement propagated,
sure. but they already have this delay now.
they tell the new ISP: 'announce my prefix' and the new ISP says
'prove it's yours'. they do that for a couple of emails. then the
new ISP asks it's upstreams to accept that announcement. that takes a
little while (ranging from 4 to 72 hours in my recent experience).
This is great for the planned changes, but real-time changes to
respond to Internet dynamics won't work well with such delays. If you
are multi-homed to provide a backup, you would like for it to respond
more quickly than 4-72 hours, I'll bet. So if you have PI space but not
your own AS, your backup route would look like a novel origination,
but you sure wouldn't want it delayed.
How common are such cases? Should the solutions cover them also?
Should there be special procedures to deal with special cases?
Etc.
--Sandy
This is great for the planned changes, but real-time changes to
respond to Internet dynamics won't work well with such delays. If you
are multi-homed to provide a backup, you would like for it to respond
more quickly than 4-72 hours, I'll bet. So if you have PI space but not
your own AS, your backup route would look like a novel origination,
but you sure wouldn't want it delayed.
no.
the scheme that josh karlin has been advocating in pretty good bgp
involved only supressing a doubtful announcement when you have a
better, more trusted announcement. it remains to be seen how hard
this would be to implement in existing systems of "build filters in
configs and push to routers". this only works obviously well in
systems that centralize route selection and use routers only as
forwarding engines. that might be a cool idea, but it's not what we
have now.
if you don't use the pgbgp scheme, you can still get the benefits of
being no worse than what we have now. consider this just a different,
more automatic, more scalable, more secure way of building and
maintaing the prefix filter that we all are supposed to maintaining
already.
i'll be happy to talk to interested parties at nanog in dallas about
this (or almost anything else, expecially if you're buying).
t.