[e2e] Re: bgp reflecting actual traffic flow (or not)

Rajesh Talpade rrt at research.telcordia.com
Mon Mar 24 14:17:42 PST 2003 

After an 8-month delay, 1-week will seem like an instant. :-)

The report is interesting. We have been exploring a related question,
which really caused me to ask the original question 8 months back.
Perhaps your data could be used to answer this question in more 
detail?

Hypothesis: 
The last-hop of an Internet AS-level path remains fairly static.

Explanation:
Traffic from a random IP address, destined to a target network, will 
use a specific link connecting the target network's neighbor/upstream 
provider (peer AS) to the target network's Border Routers (BR). This 
mapping between a source IP address and the peer AS-BR link is fairly 
static. Thus for each peer AS-BR link, it is possible to create a set 
of "expected IP addresses," which reflect the set of networks that use 
this link to reach the target network.

There is preliminary support for the hypothesis, based on our analysis 
of 41000 traceroutes to 20 targets from 24 Looking-Glass sites, and 
30-days of AS-path data from routeviews.org for the same 20 targets.

This result could be used for identifying/filtering spoofed DDoS 
packets arriving into the target network from its neighbors/upstream
providers.

We would appreciate any feedback or suggestions for next steps. I can
email a more detailed note on the preliminary results, please contact
me offline.

Thanks.
Rajesh.



"--- begin message from k claffy ---"
> 
> 
> 
> 
> 8 months may be my record for email latency
> impressive huh
> 
> On Tue, Jul 02, 2002 at 09:27:50PM -0400, Rajesh Talpade wrote:
>   > kc wrote:
>   > would recommend against assumptions of either symmetric paths
>   > or bgp reflecting actual traffic flow
>   > unless you're writing science fiction
>   
>   always wondered about what new career i could launch into! :-)
>   
>   seriously, what's a good reference for your second point about bgp not
>   reflecting actual traffic flow?
> 
> preliminary tech report finally up, have not wanted
> to publish till we had more complete results
> but that might not be in community's best interest so here:
> http://www.caida.org/outreach/papers/2003/ASP/
> (also linked from 'what's new' on caida.org)
> 
> remark reckon it's not going to surprise any operators, 
> and it's still only a piece of the interdomain alchemistry,
> 
> but there we bgp
> k
>

More information about the end2end-interest mailing list