LISTSERV mailing list manager LISTSERV 15.5

Help for NORDNOG Archives

NORDNOG Archives

NORDNOG Archives


Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font


Join or Leave NORDNOG
Reply | Post New Message
Search Archives

Subject: Re: RIPE down - DDoS confirmed
From: Fredrik Widell <[log in to unmask]>
Reply-To:Network management discussion for Nordic region <[log in to unmask]>
Date:Fri, 28 Feb 2003 09:13:23 +0100

TEXT/PLAIN (62 lines)

On Fri, 28 Feb 2003, Kurt Erik Lindqvist wrote:

> >> I tried to propose to the PTS that Netnod would start announcing the
> >> ISPs own addressspace and to them just to see what happens.
> >> They didn't seem to like the idea...
> >
> > Wonder why? ;-)
> >
> On a serious note I do think something like this would be useful. But
> in a controlled environment.
>  From my memory we have lost peering (for all ISPs) across D-GIX/Netnod
> two or three times since I started running a connection there, which
> was end of 1996. In two of the cases it was an ISP announcing the
> entire world and in the third case it was someone who started
> announcing the peering prefix (this was around the time it was started
> to get considered good to filter these...:)). Problem is that this was
> back in 1997 and I most of the people who where around then and got
> burnt is not longer running networks. I think we need an incident like
> this every year to keep people on their toes.

Since this discussion is on the list, should'nt we, the Swedish (and nordic)
ISP's try to begin to use prefix-filtering instead of the mixed mess of
maximum-prefixes, as-path-origin or no filters at all?

RIPE has some good tools to check for unregistered route-objects compared
to the live bgp, I proposed these tools to netnod some years or two or so
ago, if we keep the ripedb up-to-date with all our routes -> route-objects
it would be an easy step to begin to use prefix-filters, which would lead
to a much more stable environment when things go bad, i.e if someone shoots
from the hip when configuring their routers, if someone begins to announce
the full bgp-table, this would not affect you if you use prefix-filter, even
if someone does the terrible task of redistribute bgp->igp and back again
igp->bgp (if there exists a router that do not explode when doing this)
you would not be affected of this, if you just use as-path-filters you will
otherwise see the whole Internet behind your neighbours AS and you would probably
use these routes, and die.

So, I would like to suggest to the community that we start testing
prefix-filters between the ISP:s, I am willing to do testing on this
towards anyone who is confident enought that they have done their
homework and have all their routes registered in the ripedb :)

(I am not confident at all regarding that :)

> - kurtis -




KTHNOC, KTH, S-100 44 Stockholm, Sweden +46 8 790 65 17

Back to: Top of Message | Previous Page | Main NORDNOG Page



CataList Email List Search Powered by the LISTSERV Email List Manager