Re: [doable?] peer filtering (was Re: Trusting BGP sessions)

[Ran Atkinson <rja () extremenetworks com>]

At 15:02 15/11/00, Kevin Oberman wrote:
> Since Sprint and UUnet don't seem to be willing to provide information
> in the IRR to allow us to generate access-lists/policies, and not
> peering with these folks would be a Bad Idea(tm), so we can't quite
> filter everyone. (If I could figure out a way to get them to register,
> I'd have fun trying, though.)

        Excellent point.

        The main deployment limitation of any of the schemes
proposed for enhanced authentication of prefix advertisements
appears to be the unwillingness of certain major ISPs to
provide authenticated information about which prefixes 
that service provider claims to be providing service for.

        The Routing Registries would be one way to make
that data available, however the folks who don't want to
participate in the RRs also seem uncomfortable providing
the same data via some other method that can be authenticated.

        Offhand, I don't know which service providers have
this reluctance.  Its clear that at least some major service
providers do have such a reluctance.  Until resolved, this
will be a significant deployment hindrance for better methods
(e.g. S-BGP or the other proposed approaches) of protecting 
against inaccurate/false/accidental prefix advertisements.

        Sigh.

Ran
rja () extremenetworks com

DISCLAIMER: Speaking for myself here, not my employer.
        Flames to /dev/null please.