Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [Sidr] Re: S-BGP and IP prefix aggregation

  • From: Tony Li
  • Date: Fri Dec 02 03:42:58 2005

An alternative for sbgp design could be that aggregating ASN would create special self-signing cert for such aggregate block and that cert would have special attribute(s) indicating list of all sub- blocks and reference
to all certs that "make" this aggregate block. Then verifying router
in such a case would go through and verify each one of those sub-block
certs (and those sub-block certs would have to be such that they give permission for announcing the block from that sub-block owner to aggregating ASN).

Advertising an aggregate that is not specifically assigned to you is known as "proxy aggregation".
William has given a good description of what's required above, but it needs a further enhancement
in that proxy aggregation will frequently need to happen in several locations for the aggregate to
have any true impact on routing. In graph theoretic terms, proxy aggregation must form a
"cut set" topologically around the longer prefixes to contain them and prevent them from being
distributed throughout the network.

Thus, any security mechanism needs to provide some means for indicating that
an entire set of ASes may legitimately be advertising a proxy aggregate prefix. How one
determines the appropriate set of ASes that are authorized is another interesting administrative
issue that needs to be resolved.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.