On Feb 14, 2009, at 5:43 PM, Florian Weimer wrote:
* Steven M. Bellovin:
As Randy and Valdis have pointed out, if this isn't done very
carefully
it's an open invitation to a new, very effective DoS technique. You
can't do this without authoritative knowledge of exactly who owns any
prefix; you also have to be able to authenticate the request to
blackhole it. Those two points are *hard*.
If you want to run a public exchange point, you need to solve the same
announcement validation problem. Multiple organizations appear to do
it successfully, so it can't be that difficult.
No you don't.
And yes it is.
To be clear, I am not saying it should or should not be done, just
that your comparison is invalid.
--
TTFN,
patrick
