On Fri, Jan 27, 2006 at 04:36:28AM -0800, Randy Bush wrote: > > > what I saw by going through the diffs, etc.. that I have > > available to me is that the prefix was registered to be announced > > by our customer and hence made it into our automatic IRR filters. > > i.e., the 'error' was intended, and followed all process. > > so, what i don't see is how any hacks on routing, such as delay, > history, ... will prevent this while not, at the same time, have > very undesired effects on those legitimately changing isps. > > seems to me that certified validation of prefix ownership and as > path are the only real way out of these problems that does not > teach us the 42 reasons we use a *dynamic* protocol.
perhaps you mean certified validation of prefix origin and path. Ownership of any given prefix is a dicey concept at best. as a start, i'd want two things for authentication and integrity checks: AS P asserts it is the origin of prefix R and prefix R asserts the true origin AS is P (or Q or some list). Being able to check these assertions and being assured of the authenticity and integrity of the answers goes a long way, at least for me. path validation is something else and a worthwhile goal. --bill > > what am i missing here? > > randy