Who uses RADB? [was BGP to doom us all]

as you say for customers only. Inter-provider we have basic bogon checking plus
maximum prefix. Its too unwieldy to build when you have peers exchanging
thousands of routes... theres a belief that the peer should be behaving
responsibly tho and this is a condition of most bilateral peering contracts.

Unfortunately, contracts don't fix mis-(or malicious-) configurations on
compromised routers or from a peers disgruntled worker.

Going back to the original topic on this thread I would expect a deliberate
attack on BGP routing to come from a customer not a provider such as Level3, if
they are filtering in turn to their customers we have a reasonable amount of
sanity checking going on

A large provider I worked for in the past had a router maliciously configured
to inject a more-specific prefix for a very "popular network". Even the "popular
networks" provider sent the traffic to us. Had explicit prefix-based inter-
provider filtering been in place it would not have occurred, or at least "the
whole Internet" wouldn't have been affected.

With the IRRs and inter-provider filtering it's the whole chicken and egg thing.
Inter-provider filters aren't in place because no one cares about IRRs (even
though they have other operational value as well). Vendors don't support the
amount of prefix filters required because they say no one uses them. Heck,
lots of folks still don't ingress filter routes (or packets) from their
customers.

When ANS used to employ inter-provider filters the biggest problem was getting
them updated and bouncing routes or sessions. That's no excuse anymore
because pretty much everyone supports the ability to incrementally update filters,
and BGP Route Refresh fixes the bounce the session/route thing.

So, let's recap why no one uses them (as many have said already in the related
thread): Laziness. The same laziness that results in the slew of other things
many folks have pointed out not being addressed.

-danny

So, let's recap why no one uses them (as many have said already in the

related

thread): Laziness. The same laziness that results in the slew of other

things

many folks have pointed out not being addressed.

-danny

You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value for me
why would I want to spend the money? I realize most of you work for
companies that consider a million dollars chump change but that is not the
case everywhere. If you can give me a convincing reason to register my
routes in a RADB I will - but at this point I have yet to see it.

What does a RADB tell you about a non-transit network that you can't see
from BGP and WHOIS? There is no more security in RADB than there is in our
current method of notifying our peers of the netblocks we are announcing.

Mark Radabaugh
Amplex
(419) 720-3635

> So, let's recap why no one uses them (as many have said already in the
related
> thread): Laziness. The same laziness that results in the slew of other
things
> many folks have pointed out not being addressed.
>
> -danny

You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value for me
why would I want to spend the money? I realize most of you work for

It doesnt cost a million dollars to have access to a RR, its somewhat less! You
pay for your domains you pay for your IPs you pay for your ASN you pay for your
SSL, so why be shocked you pay a little for this too? And if everyone filters
your prefixes that will be operational value enough to join!

companies that consider a million dollars chump change but that is not the
case everywhere. If you can give me a convincing reason to register my
routes in a RADB I will - but at this point I have yet to see it.

You've been reading this thread right? Those were the reasons and they were
pretty good, if you dont you may get filtered eventually or have your routes
hijacked.

What does a RADB tell you about a non-transit network that you can't see

It tells you who it belongs to, where it should be coming from, possibly contact
details.

from BGP and WHOIS? There is no more security in RADB than there is in our
current method of notifying our peers of the netblocks we are announcing.

Well you cant arbitrarily register routes to them, you have to be a member, and
have to match the authorisation criteria. I use RIPE and you have to be
authorised on both the ASN and the INETNUM objects to register the route for it.

Steve

It doesnt cost a million dollars to have access to a RR, its somewhat

less! You

pay for your domains you pay for your IPs you pay for your ASN you pay for

your

SSL, so why be shocked you pay a little for this too? And if everyone

filters

your prefixes that will be operational value enough to join!

Correct. We pay for lots and lots of things - and there are about 30 other
things I need NOW that cost $500.

You've been reading this thread right? Those were the reasons and they

were

pretty good, if you dont you may get filtered eventually or have your

routes

hijacked.

Eventually is not now - and given that you have a horrendous chicken and egg
problem I don't see it happening anytime in even the remote future.

I'll grant you that it would be nice to have it so that my routes can't be
hijacked - but we are back to the same chicken and egg problem. I'm
contributing to one end of it - but I'm not the hard one to convince here.
It's the many thousands of others who don't read NANOG.

Well you cant arbitrarily register routes to them, you have to be a

member, and

have to match the authorisation criteria. I use RIPE and you have to be
authorised on both the ASN and the INETNUM objects to register the route

for it.

True enough. And to get my BGP peers to accept my routes I have to do the
exact same thing by communicating with them - not just changing entries in
the RADB. If I want to launch a malicious attack both methods leave
trails - but I'm willing to bet that it's a lot more likely that a person
reviewing my request at a BGP peer will catch me before an automated system.

Even if you compromise my routers it still doesn't allow you to announce
anything interesting from me - you still have to convince my upstream
providers to accept the announcements based on the current system of
manually entered prefixes.

We have had our routes registered in RADB in the past but despite the theory
that it is laziness we dropped it due to expense and lack of relevence.
I'll probably register our routes again but until RADB becomes a requirement
of the RIR's or someone with authority I rather suspect this is a dead end.

Steve

Mark

It doesnt cost a million dollars to have access to a RR, its somewhat less! You
pay for your domains you pay for your IPs you pay for your ASN you pay for your
SSL, so why be shocked you pay a little for this too? And if everyone filters
your prefixes that will be operational value enough to join!

Because it provides me *no* service what so ever.

> What does a RADB tell you about a non-transit network that you can't see

It tells you who it belongs to, where it should be coming from, possibly contact
details.

Presuming that it is correct, which it is NOT in a large percentage of
cases. So again, why am I paying to someone to provide me incorrect
information?

Alex

ALTDB?

  www.altdb.net

  even verio mirrors altdb so customers
can use them instead of the verio registry if you want.

http://info.us.bb.verio.net/routing.html#VRR

It doesnt cost a million dollars to have access to a RR, its somewhat less! You
pay for your domains you pay for your IPs you pay for your ASN you pay for your
SSL, so why be shocked you pay a little for this too? And if everyone filters
your prefixes that will be operational value enough to join!

Because it provides me *no* service what so ever.

Then don't use it. Surely this is not rocket science.

What does a RADB tell you about a non-transit network that you can't see

It tells you who it belongs to, where it should be coming from, possibly contact
details.

Presuming that it is correct, which it is NOT in a large percentage of
cases. So again, why am I paying to someone to provide me incorrect
information?

You're not. You're paying to provide other people with information about you. Retrieving other peoples' incorrect information is free.

Joe

>> It doesnt cost a million dollars to have access to a RR, its somewhat
>> less! You pay for your domains you pay for your IPs you pay for your
>> ASN you pay for your SSL, so why be shocked you pay a little for this
>> too? And if everyone filters your prefixes that will be operational
>> value enough to join!
>
> Because it provides me *no* service what so ever.

Then don't use it. Surely this is not rocket science.

If it provides no service to me and the guy next block and another little
ISP that is announcing some prefixes and a few large ISPs that announce
quite a few prefixes you wont get the data that you need. I am sure you get
the idea.

Alex

Some people seem to have the idea that RADB-like services are only useful if every operator uses them, and every operator publishes accurate information. In my experience, that is not the case.

The most common usefulness I have experienced out of the IRR is as an automated mechanism for publishing policy to adjoining ASes. Examples are BGP-speaking customers instructing their providers on how to filter their advertisements, and ASes filtering advertisements from their peers (which does happen, even if it's not common in the US). Whether or not non-adjoining ASes use the IRR at all, or use it well, is not relevant to this application.

Generating route filters from the IRR via a small lump of script has the potential to be cheaper, quicker, more efficient and less customer-enraging than the common alternative approach of opening six different tickets with the NOC and sacrificing small animals for three weeks until the updates are made.

Joe

When I was at $LARGE_PROVIDER, I was working on a
project to port all of the customer IP information
over to route-objects for precicely this purpose: the
goal was that customers would be able to update their
filters automatically (and get rWHOIS for free -
simplifying additional ARIN allocation requests).

Sadly for that project, after I left, the little Ultra
5 was abandoned, and AFAIK is still sitting in my old
lab, unused - and after the most recent (quarterly)
staff-bloodletting, there certainly won't be resources
to devote to a project like that. Sigh.

Very subtle, David. As it happens, somebody asked only last week if
they could take up the project again. For those who think mapping
filters to route objects is nigh trivial, there is a significant
difference between network assignees and routes. Tracking assignments,
ASNs, customer routing policy, and which edge router each connects to
requires two scoops of Perl.

I should also point out that three out of four RIRs run a route registry.
http://www.arin.net/tools/rr.html

Lee

I'm thrilled to hear that that project is being picked
up again. The long-term benefits (IMO) are worth the
non-trivial amount of effort required to make a
functioning solution.

Its not trivial, but there are several proof's of existance out
there. I think Worldcom even owned the code for at least two working
implementations at one time or another :slight_smile:

Essentially a route registry is a way to tell everyone "only listen to
this route/prefix from me." But if every ISP runs their own route
registry, you end up with the same problem with an additional level of
indirection. C&W's route registry says their route, Level 3's route
registry says their route, Verio's route registry says their route. Etc
with Merit, ARIN, RIPE.

However, it is a step forward to get the informaton in a common format
which can be shared/munged/checked/etc. The route vectors in BGP are
very information limited. RPSL/rWHOIS has the opportunity to provide
more context.

Mark Radabaugh <mark@amplex.net> writes:

[...]

You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value for me
why would I want to spend the money? I realize most of you work for
companies that consider a million dollars chump change but that is not the
case everywhere. If you can give me a convincing reason to register my
routes in a RADB I will - but at this point I have yet to see it.

FYI, the RIPE Database implements RPSL and is free to use.

http://www.ripe.net/ripencc/pub-services/db/index.html

Regards,