North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: preventing future situations like panix
- From: Josh Karlin
- Date: Mon Jan 23 18:38:33 2006
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FcdQg/AA0cuwzBhWn//ZOhPErU7pfTYlApEnpiyeyj0ISU86WVPY4r4LXHPLHN4wNkaS8zMYUcbeTGbmclZjVy0N6lwVW16pb9PxvcYyfpUjS0D0WJu0Bskxw6OIrk/q/V2NSQxxwr4MT7fo0zlPX1uObogr4xRurP/vFMIwm7w=
> > It seems like most of the routers which would need to make this decision
> > wouldn't have adequate information upon which to do so...
>
> not necessarily. the decision could be made in "near real time" by
> building prefix filters based on the algorithms that josh and co have
> worked on and leaving a 'default deny' in place. this moves the
> routing decision off of the router (which i agree does not have the
> history or resources to take these additional vectors of information
> into account) and over to a server with more storage and computational
> capacity.
The 'core' routers are definitely the best informed, though other ASs
which are multi-homed also come across a substantial bit of
information through updates. Yet if only the core ASs were to run
such a solution, it would be sufficient to suppress most attacks for
at least a day. The paper has more detail on that situation.
|
