"Defensive" BGP hijacking?
Jared Mauch
jared at puck.nether.net
Mon Sep 12 18:11:36 UTC 2016
> On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
>
> * Mel Beckman:
>
>> If we can't police ourselves, someone we don't like will do it for us.
>
> That hasn't happened with with IP spoofing, has it? As far as I
> understand it, it is still a major contributing factor in
> denial-of-service attacks. Self-regulation has been mostly
> unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue of
BGP filtering.
BGP filtering is feasible in hardware and software today. You can put a 600k
line config on most devices without issues, and automate policy generation
with a tool like bgpq3 or similar.
Most hardware requires a recirculation of the packet to do a lookup on the
source IP address. This means halving your NPU performance of something that
hasn’t been in the 40 bytes per packet range for quite some time.
- Jared
More information about the NANOG
mailing list