I was just wondering if when new members are added to the route server, are there filters setup so that they can only advertise networks that can be verified to be associated with their company via an ARIN WHOIS lookup? Just wondering since prior to connecting, I am concerned about people advertising routes that they might not have connectivity to. I could see someone making a simple mistake in their BGP configuration, and accidentally advertising routes that were not theirs, that then could then be blocked from transiting through their router by an access list that is designed to stop spoofing of their IP addresses. Not to mention possible issues that could come up if someone had some malicious intent to disrupt traffic to a specific netblock. Just wondering if there have been any discussions on this issue? Jeremy ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
I haven't heard any discussions about this, but I think that is something that we should look into. The downside is that every time somebody adds a network or a customer with an ARIN allocation it would require human maintenance. I wouldn't want to have that job. I also suspect that it could be problematic for organizations with a large number of netblocks. Can our route servers read routes from a routing registry? On 01/19/2011 02:05 PM, Jeremy Lumby wrote:
I was just wondering if when new members are added to the route server, are there filters setup so that they can only advertise networks that can be verified to be associated with their company via an ARIN WHOIS lookup? Just wondering since prior to connecting, I am concerned about people advertising routes that they might not have connectivity to. I could see someone making a simple mistake in their BGP configuration, and accidentally advertising routes that were not theirs, that then could then be blocked from transiting through their router by an access list that is designed to stop spoofing of their IP addresses. Not to mention possible issues that could come up if someone had some malicious intent to disrupt traffic to a specific netblock. Just wondering if there have been any discussions on this issue?
Jeremy
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Welcome to the insecurities of how the internet works :) But, I'd agree - this seems like a lot of work for folks to maintain prefix filters... If everyone can agree to maintain proper IRR policy/objects, we could have irrpt or the like build prefix filters on an automated basis and suck into the route servers, but we'd have to get consensus of the group. At the very least, the route servers could check as-path, filter bogons, and police a reasonable max-prefix (if they don't already). On Wed, Jan 19, 2011 at 2:36 PM, Steve Howard <showard@paulbunyan.net> wrote:
I haven't heard any discussions about this, but I think that is something that we should look into. The downside is that every time somebody adds a network or a customer with an ARIN allocation it would require human maintenance. I wouldn't want to have that job. I also suspect that it could be problematic for organizations with a large number of netblocks.
Can our route servers read routes from a routing registry?
On 01/19/2011 02:05 PM, Jeremy Lumby wrote:
I was just wondering if when new members are added to the route server, are there filters setup so that they can only advertise networks that can be verified to be associated with their company via an ARIN WHOIS lookup? Just wondering since prior to connecting, I am concerned about people advertising routes that they might not have connectivity to. I could see someone making a simple mistake in their BGP configuration, and accidentally advertising routes that were not theirs, that then could then be blocked from transiting through their router by an access list that is designed to stop spoofing of their IP addresses. Not to mention possible issues that could come up if someone had some malicious intent to disrupt traffic to a specific netblock. Just wondering if there have been any discussions on this issue?
Jeremy
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Bogons are being filtered and I believe we are capping the prefixes. Default routes are also filtered. We can look into the irr but it does add a bit of burden for those not currently using a registry. I would add that private as numbers need to be filtered on the route server. On Jan 19, 2011 2:53 PM, "Andrew Hoyos" <hoyosa@gmail.com> wrote:
Welcome to the insecurities of how the internet works :)
But, I'd agree - this seems like a lot of work for folks to maintain prefix filters...
If everyone can agree to maintain proper IRR policy/objects, we could have irrpt or the like build prefix filters on an automated basis and suck into the route servers, but we'd have to get consensus of the group.
At the very least, the route servers could check as-path, filter bogons, and police a reasonable max-prefix (if they don't already).
On Wed, Jan 19, 2011 at 2:36 PM, Steve Howard <showard@paulbunyan.net> wrote:
I haven't heard any discussions about this, but I think that is something that we should look into. The downside is that every time somebody adds a network or a customer with an ARIN allocation it would require human maintenance. I wouldn't want to have that job. I also suspect that it could be problematic for organizations with a large number of netblocks.
Can our route servers read routes from a routing registry?
On 01/19/2011 02:05 PM, Jeremy Lumby wrote:
I was just wondering if when new members are added to the route server, are there filters setup so that they can only advertise networks that can be verified to be associated with their company via an ARIN WHOIS lookup? Just wondering since prior to connecting, I am concerned about people advertising routes that they might not have connectivity to. I could see someone making a simple mistake in their BGP configuration, and accidentally advertising routes that were not theirs, that then could then be blocked from transiting through their router by an access list that is designed to stop spoofing of their IP addresses. Not to mention possible issues that could come up if someone had some malicious intent to disrupt traffic to a specific netblock. Just wondering if there have been any discussions on this issue?
Jeremy
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
participants (4)
-
Andrew Hoyos -
Jay Hanke -
Jeremy Lumby -
Steve Howard