Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: preventing future situations like panix

  • From: Josh Karlin
  • Date: Mon Jan 23 20:48:09 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cf75lQzooXXwsvCM4a0qcpYcPWh+G/NY+EyoQAqvvIClqxi/uullLCAR1ZDoBSpx0NhtnwfDsvHTEfwFJrWKCXplSMo4L983bX1hx39UgXbPor/jj0VVrnWZiLm1x+H2en2g5SmifK8vt9fE1AoB90DkQBtRSn+sgoGSlBSVnUU=

For those prefixes announced by ConEd within the last 3 days that it
no longer owns, correct, it would not of helped.  But saving some is
certainly better than none.  For the second statement things get a
little more subtle.  We have considered allowing the trusted
originator of a prefix to split the space among itself and those
downstream of it without considering that suspicious behavior.  This
allows ASs to protect themselves via such methods.

Thanks for your comments!


On 1/23/06, Thor Lancelot Simon <> wrote:
> On Mon, Jan 23, 2006 at 12:47:38PM -0700, Josh Karlin wrote:
> >
> > Suspicious routes are those that originate at an AS that has not
> > originated the prefix in the last few days and those that introduce
> > sub-prefixes.  Sub-prefixes are always considered suspicious (~1 day)
> > and traffic will be routed to the super-prefix for the suspicious
> > period.
> So, if you consider the recent Cone-D hijacking incident, it seems to
> me that:
> 1) Cone-D's announcement of _some_ of the prefixes they announced would
>    have been considered "suspicious" -- but not all, since some of the
>    prefixes in question were for former customers or peers who had only
>    recently terminated their business arrangements with Cone-D.
> 2) Panix's first, obvious countermeasure aimed at restoring their
>    connectivity -- announcing their own address space split in half --
>    would *also* have been considered suspicious, since it gave two
>    "sub-prefixes" of what Cone-D was hijacking.
> Unless I misunderstand what you're proposing -- which is entirely possible,
> in fact perhaps even likely -- it seems to me that it might well have done
> at least as much harm as good.
> Thor

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.