nanog mailing list archives

Re: soBGP deployment

From: Jeroen Massar <jeroen () unfix org>
Date: Mon, 23 May 2005 20:15:15 +0200

On Mon, 2005-05-23 at 14:00 -0400, Daniel Golding wrote:


I suspect the right thing to do is to ask why soBGP and sBGP have failed?

And yes, they've failed. Just like DNSSec, we aren't seeing even limited
adoption. Why? Too complex, too many moving parts, too much reliance on iffy
third parties and requires mass adoption.

I suggest that the community finds something that gives us most of what we
want, is simple to understand, and can be implemented in a piece-wise
fashion. Look at SPF - not perfect, but certainly useful. It is simple, easy
to implement, and IS being implemented.


<sidetrack>

SPF gets implemented by a few. I won't implement it simply because it
will break my mailsetup because the mechanism format does not allow
optional mechanisms to be defined eg, if I would use in DNS:
 "v=spf1 ip6:2001:db8::/48 -all"
Any host which implements SPF checks but does not know how to do ip6
checks, even though the message went 100% through an IPv6 only path will
drop the mail in the trashcan, even though the mail is 100% legit.
But this is a non-issue of course as everybody uses IPv6 only... just
like nobody uses DNSSec and other cool toys.

</sidetrack>

<SNIP>

Why not do something simple? The in-addr.arpa reverse delegation tree is
pretty accurate. We use it for lots of different things. Why not just give
IP address blocks a new RR (or use a TXT record) to identify ASN? This
solves the biggest problem we have right now, which is stealing of address
blocks. It requires little processor overhead, and only a few additional DNS
lookups. Its reasonably foolproof.


<sarcastic smiling comment> But you are the fool here </sa....>

So your router boots and receives a prefix and then you are going to
check using the just received prefix if it is legit to be sent from that
ASN, remember that it was just faked :) Or do it before you get it and
thus don't have a route...

L3 on L3 dependencies don't work unfortunately.

I am really glad the IETF has a lot of people who catch above things
quite easily because of expertise and experience.

Btw "pretty accurate" is not good enough unfortunately...

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: soBGP deployment, (continued)
- - - Re: soBGP deployment Russ White (May 24)
    - Re: soBGP deployment Randy Bush (May 24)
    - Re: soBGP deployment Michael . Dillon (May 23)
    - Re: soBGP deployment Russ White (May 23)
    - Re: soBGP deployment Russ White (May 23)
    - Re: soBGP deployment Edward Lewis (May 23)
    - Re: soBGP deployment Michael . Dillon (May 23)
    - Re: soBGP deployment william(at)elan.net (May 23)
    - Re: soBGP deployment bmanning (May 23)
    - Re: soBGP deployment Daniel Golding (May 23)
    - Re: soBGP deployment Jeroen Massar (May 23)
    - Re: soBGP deployment bmanning (May 23)
    - Re: soBGP deployment Edward Lewis (May 23)
    - Re: soBGP deployment Daniel Golding (May 23)
    - Re: soBGP deployment Valdis . Kletnieks (May 23)
    - Re: soBGP deployment Brad Knowles (May 23)
    - Message not available
    - Re: soBGP deployment Suresh Ramasubramanian (May 23)
    - Re: soBGP deployment Michael . Dillon (May 24)
    - Re: soBGP deployment Geoff Huston (May 23)
    - Re: soBGP deployment Russ White (May 23)
    - Re: soBGP deployment Tony Li (May 23)

(Thread continues...)