nanog mailing list archives
Re: soBGP deployment
From: Jeroen Massar <jeroen () unfix org>
Date: Mon, 23 May 2005 20:15:15 +0200
On Mon, 2005-05-23 at 14:00 -0400, Daniel Golding wrote:
I suspect the right thing to do is to ask why soBGP and sBGP have failed? And yes, they've failed. Just like DNSSec, we aren't seeing even limited adoption. Why? Too complex, too many moving parts, too much reliance on iffy third parties and requires mass adoption. I suggest that the community finds something that gives us most of what we want, is simple to understand, and can be implemented in a piece-wise fashion. Look at SPF - not perfect, but certainly useful. It is simple, easy to implement, and IS being implemented.
<sidetrack> SPF gets implemented by a few. I won't implement it simply because it will break my mailsetup because the mechanism format does not allow optional mechanisms to be defined eg, if I would use in DNS: "v=spf1 ip6:2001:db8::/48 -all" Any host which implements SPF checks but does not know how to do ip6 checks, even though the message went 100% through an IPv6 only path will drop the mail in the trashcan, even though the mail is 100% legit. But this is a non-issue of course as everybody uses IPv6 only... just like nobody uses DNSSec and other cool toys. </sidetrack> <SNIP>
Why not do something simple? The in-addr.arpa reverse delegation tree is pretty accurate. We use it for lots of different things. Why not just give IP address blocks a new RR (or use a TXT record) to identify ASN? This solves the biggest problem we have right now, which is stealing of address blocks. It requires little processor overhead, and only a few additional DNS lookups. Its reasonably foolproof.
<sarcastic smiling comment> But you are the fool here </sa....> So your router boots and receives a prefix and then you are going to check using the just received prefix if it is legit to be sent from that ASN, remember that it was just faked :) Or do it before you get it and thus don't have a route... L3 on L3 dependencies don't work unfortunately. I am really glad the IETF has a lot of people who catch above things quite easily because of expertise and experience. Btw "pretty accurate" is not good enough unfortunately... Greets, Jeroen
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: soBGP deployment, (continued)
- Re: soBGP deployment Russ White (May 24)
- Re: soBGP deployment Randy Bush (May 24)
- Re: soBGP deployment Michael . Dillon (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Edward Lewis (May 23)
- Re: soBGP deployment Michael . Dillon (May 23)
- Re: soBGP deployment william(at)elan.net (May 23)
- Re: soBGP deployment bmanning (May 23)
- Re: soBGP deployment Daniel Golding (May 23)
- Re: soBGP deployment Jeroen Massar (May 23)
- Re: soBGP deployment bmanning (May 23)
- Re: soBGP deployment Edward Lewis (May 23)
- Re: soBGP deployment Daniel Golding (May 23)
- Re: soBGP deployment Valdis . Kletnieks (May 23)
- Re: soBGP deployment Brad Knowles (May 23)
- Message not available
- Re: soBGP deployment Suresh Ramasubramanian (May 23)
- Re: soBGP deployment Michael . Dillon (May 24)
- Re: soBGP deployment Geoff Huston (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Tony Li (May 23)