On 11 Mar 2012, at 09:48, Iljitsch van Beijnum <iljit...@muada.com> wrote:
> On 9 Mar 2012, at 10:02 , Jeff Wheeler wrote:
>
>> The way we are headed right now, it is likely that the IPv6 address
>> space being issued today will look like "the swamp" in a few short
>> years, and we will regret repeating this obvious mistake.
>
>> We had this discussion on the list exactly a year ago. At that time,
>> the average IPv6 origin ASN was announcing 1.43 routes. That figure
>> today is 1.57 routes per origin ASN.
>
> The IETF and IRTF have looked at the routing scalability issue for a long
> time. The IETF came up with shim6, which allows multihoming without BGP.
> Unfortunately, ARIN started to allow IPv6 PI just in time so nobody bothered
> to adopt shim6. I haven't followed the IRTF RRG results for a while, but at
> some point LISP came out of this, where we basically tunnel the entire
> internet so the core routers don't have to see the real routing table.
>
> But back to the topic at hand: filtering long prefixes. There are two reasons
> you want to do this:
>
> 1. Attackers could flood BGP with bogus prefixes to make tables overflow
>
> 2. Legitimate prefixes may be deaggregated so tables overflow
>
> It won't be quick or easy, but the RPKI stuff should solve 1.
>
>
Unless the attacker uses the same origin AS that is in the ROA. Probably it
won't hijack the traffic but it may create a DoS or any other kind of problem.
Regards,
as
