on Tue, Sep 28, 2004 at 01:22:23PM +0200, Florian Weimer (fw@deneb.enyo.de) wrote:
> * Karsten M. Self:
>
> > Background: ASN identifies the Autonomous System. Effectively, these
> > are the networks the Internet is networking between. Each is defined by
> > a single span of routing authorities, peers, etc., and largely,
> > organizational authority. In other words: you've got an identifiable,
> > accountable entity with a definable network space. More to the point:
> > they're _accountable_ for that space, and had damned well better be
> > keeping it clean.
>
> And there are only a few thousand ASNs which are actually used in the
> Internet routing table, which means that maintaining a list of
> responsible ones is indeed feasible.
>
> > For more general information:
> >
> > http://www.routeviews.org/
> >
> > The data are compiled directly from BGP router maps. My understanding
> > is that the zonefiles are downloadable (I'm checking on this now).
> > They're certainly cacheable.
>
> I've got a tool that builds optimized zone files from BGP table dumps.
> However, you need quite a bit of RAM on the authoritative name server
> (BIND 9 grows by 120 MB, I haven't tried nsd so far). All you need is
> a BGP (and Quagga), but we should be able to get one on some Debian
> machine if we really want to try this approach.
This is getting out of my depth (I just know the tools are there...).
However, isn't the general routing information also available from RIRs
for assignments?
> Unfortunately, using BGP to combat spam on a large scale will result
> in more spammers attacking BGP. As BGP provides no real
> authentication of announcements (there's no end-to-end mechanism, and
> a trusted route registry faces huge organizational challenges), and
> out-of-band documentation is *extremely* poor, this can result in very
> annoying problems. What's worse, tatical hijacking of netblocks for
> spamming purposes is no longer a theoretical possibility, it has
> already happened. 8-(
Hrm. I really haven't thought of the attacks against this, nor do I
understand the issues sufficiently to formulate them. I've had some
emails with Joe St. Sauver of University of Oregon, and some incidental
contacts with the routeviews people.
Isn't the BGP data _necessary_ for routing topology to work?
Alternatively, the information is also typically available from WHOIS
records (and we *know* what bastions of data purity those are...), but
with a far higher lag, greater data variance, and more difficult parsing
requirements, than a DNS query.
How about tackling it from the other angle: rather than known
untrusted bad ASNs, known trusted good ones. People with a good rep
have an interest in defending it.
As for hijacks, etc., yes, you'd probably want to toss in bogons and
other known bad IP blocks as well.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
The Journal's editorial page made the mistake of relying on the
accuracy and completeness of The Journal's reporting.
- Warren E. Buffett, letter to The Wall Street Journal
Attachment:
signature.asc
Description: Digital signature