North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Public shaming list for ISPs announcing other ISPs IP space by mistake
On Thu, Aug 14, 2008 at 11:32:28AM -0700, brett watson wrote: > On Aug 14, 2008, at 11:21 AM, David Freedman wrote: > >> >>> but, why wouldn't something like formally requiring >>> customers/peers/transits/etc to have radb objects as a 'requirement' >>> for peering/customer bgp services >>> >> >> Step 1 : Enforce IRR for customers *now*. > > Right, but I think the bigger issue is not just that "data is in the > IRR" but rather "the data is there, and "some organization" has > validated that 1) the "owner" is authentic, 2) they own the prefixes > they entered, 3) they are authorized to originate the prefixes, and 4) > the policies they entered are valid and agreed to by the other parties." > > We have to be able to *trust* the data in the IRR, which I assume is one > of the biggest impediments to being used by everyone: who's going to > validate all that data and how will they do it? You're missing a step: janitor. No really, the reason for some leaks isn't because so-and-so was never a customer, they were. 5 years ago. nobody removed the routes from the IRR or AS-SET or <insert method here> and now the route is learned via some other location and it's bypassed your perimiter security and infiltrated your BGP. There's many simple things that makes it seem like it's an impossible task, but there's a saying, if you're not progressing you're regressing. If the toolset is too complex or doesn't work, what are YOU doing to make it better for you and/or your customers? - jared -- Jared Mauch | pgp key available via finger from jared@xxxxxxxxxxxxxxx clue++; | http://puck.nether.net/~jared/ My statements are only mine.