On 04/02/2016 11:14, Martin T wrote:
Hi,
am I correct that ISPs (in RIPE region), who update their BGP prefix
filters automatically, ask their IP transit customer or peering
partner to provide their "route"/"route6" object(s) or "as-set" object
in order to find all the prefixes which they should accept? If the IP
transit customer or peering partner provides an "as-set", then ISP
needs to ensure that this "as-set" belongs to this IP transit customer
or peering partner because there is no automatic authentication for
this, i.e. anybody can create an "as-set" object to database with
random "members" attributes? This is opposite to "route"/"route6"
objects which follow a strict authentication scheme. In addition, in
case of "as-set", an ISP needs to recursively find all the AS numbers
from "members" attributes because "as-set" can include other
"as-sets"? Quite a lot of question, but I would simply like to be sure
that I understand this correctly.
Yes you do. Typically, you'll tell the transit provider something like
"We are AS23456 announcing AS-STUFF" at order time so they know what to
look up.
What then happens is they have something that does the following as
either a semi-automatic or fully automatic process:
1) Iterate through AS-STUFF to get a unique list of AS numbers that are
involved.
2) Go through this list of ASes, doing an inverse lookup of route or
route6 objects with an origin of those ASes.
3) Create filter list from the above list.
The route/route6 objects actually have very weak authentication for
out-of-RIPE-region prefixes.
For example, if I want to add a route object for ARIN prefix originating
from my RIPE-region AS, there is a dummy maintainer to make this
possible. This is currently subject to somewhat of a debate on the
mailing lists because of the obvious abuse vector, and there are cases
where this has been used to help "legitimise" address space hijacks.
Unfortunately it is hard to simultaneously allow legitimate
unauthenticated use without allowing abusive route objects. Which is
why there is a lot of head-scratching here; I don't have an answer to
that one.
Paul.
