On 2010-11-15 12:53, Fredy Kuenzler wrote: [..]
Why should we change a generally good working system just because some network rookies don't know better? Fix the problem by the source, don't circumvent it.
Because you can't trust remote networks?
RPSL would have fixed the PakistaniYoutube issue already btw as it would have filtered out the more specific announcement, unless they spoofed the source ASN, that is the IMHO only advantage that this RPKI trick gives you.
Another approach to all of this is to do off-line filtering and have a UI that allows you to approve changes in routes.
Thus you are running the system, all prefixes are accepted. Now somebody announces prefix A.B.C.D/24 from a path ending in "F G H". As your system did not see it yet two options: it is a more specific, in that case your system puts it on the 'to approve' list and does not accept it yet, or it is most specific, in that case your system puts it on the 'to check' list but does accept it.
The big issue of course is that you once have to approve/check 300k prefixes, but you can eliminate most of those with RPSL already today.
In combination with an RPKI which has BGP origin validation, the system has just an extra metric to state 'oh that is also a valid source ASN'.
Greets, Jeroen