On (2006-07-21 11:38 -0400), Joe Abley wrote: > That seems to me like another perfectly valid approach, and one that > already exists to some extent (e.g. by pre-poisoning AS_PATH > attributes with AS numbers of remote networks that you don't want to > accept particular routes). I'm told that IDRP has inclusion and > exclusion lists which provide more exhaustive implementation of this > kind of idea, too.
Oh, cool idea, indeed 'as exclude' mechanism is there, but I'm sure I'd be frowned upon advertising such routes today. 'as include' otoh. is not there. > However, for some applications those mechanisms rely on knowing the > topology one or more AS hops away from your network; AS_PATHLIMIT > doesn't. To my eye the two approaches seem complementary. Absolutely complementary. The 'original' problem I was thinking, really needed both, as point was to find how 'deep' in Internet your DoS sources are, then as you've indentified the depth, you have smaller subset of AS#'s that you could iterate with include/exclude to pinpoint source of certain traffic, even if they were spoofing. But that idea has several problems that might make it unfeasible, nevertheless the traffic engineering applications remain. > [To be clear, incidentally, Tomy, Rex and I made no claim to be the > original authors of the idea we were documenting in this draft: ACK, I did notice that, I'm sure most people have thought about it at one point or another in their networking career :). I hope it'll be implemented. Thanks, -- ++ytti