nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: the problems being solved -- or not

From: Russ White <ruwhite () cisco com>
Date: Tue, 24 May 2005 07:41:49 -0400 (Eastern Daylight Time)
Let's look at Tony's points above. These solutions cannot deal with the last case, i.e., the "owner" of the prefix decides to advertise more specifics (and the ISPs pass that crap through). Then we're left with attacks where someone else advertises an equal route, or someone advertises a more specific.
One of the various policies available within the soBGP specs is the ability for the owner of an address block to state: "The longest prefix within this block will be /x." This means that if you own 10.1.0.0/16, you can say: "The longest prefix length within 10.1.0.0/16 will be a /17." Or you can say: "The longest prefix within 10.1.0.0/17 will be a /18, and the longest within 10.1.1.0/17 will be a /20." Now, if someone attempts to steal your traffic by advertising a longer prefix, anyone actually checking would toss their routes.
Yes, you could advertise the same length, of course, but then, if the origin doesn't match, and/or the AS Path is bogus, they're toast, as well. 

:-)

Russ

__________________________________
riw () cisco com CCIE <>< Grace Alone
Previous By Date Next
Previous By Thread Next

Current thread: