North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Defeating DoS Attacks Through Accountability

  • From: Mark Mentovai
  • Date: Sun Nov 12 12:55:18 2000

Daniel Senie wrote:
>I'm not sure you're being clear. If someone has portable /24 or /16, and
>does NOT do their own BGP, but contracts with ONE ISP to do that
>advertisement. How do other ISPs know that ISP has permission? We could
>point to the RADB, but it's chock full of bogus data. We could point to
>ARIN, but their database just says the owner of the net in question is
>whomever it is. Those who own that space have a legitimate right to use
>that space, so telling them to get ISP-provided space is a non-starter.

If an ISP customer of mine wants me to statically route to them a block of
space that one of their customers owns, I require authorization from their
customer - the entity to which the block in question has been delegated -
saying that my customer (their provider) is permitted to route a certain
block.  The authorization must come from the delegated organization, but it
can be provided (relayed) to me by my customer.  It could be part of an
engineering sheet that's been signed by the downstream, for all I care.

It works the same way if you replace "statically route to them" with "not
filter annoumcements from them for."

Essentially, I want my customer to call me up and say "I don't own this
block but my customer does, I've just FAXed you authorization from her
saying that we are allowed to announce part of her block."  I then get on
the phone with my upstreams and ask them to relax their filters a bit, and
furnish any authorizaiton necessary (which they unfortunately typically
don't require).

Once I've added the route or lifted the filter, though, there's no way for
me verify that the status of the block has not changed unless someone
challenges it.

The current system was built around trust - my upstreams trust me not to
maliciously want to announce blocks I'm not entitled to announce, and filter
only to prevent me from shooting myself and others in the feet.  The
requirement for having filters explicitly modified at least means that
fingers can be pointed if something is screwed up, but the implicit trust
means that some clown can blackhole for at least a little
while, long enough to cause the a disruption.

>I agree it's a problem in need of a proper solution. The solution has to
>account for portable address space not owned by providers.

In addition to permitting further delegations of "ownership" of address
space, perhaps allocation authorities should also provide a mechanism for
delegating routability from an owner to its upstreams.  Such a system would
provide a more-or-less central database to check when a request for a new
route is made and to validate existing routes against.

Of course nobody would use such a system unless it was required, and once
again, the requirement has to come from the top - the major NSP players -
and "trickle down" to the end networks.