AT&T/as7018 now drops invalid prefixes from peers

• Previous message (by thread): AT&T/as7018 now drops invalid prefixes from peers
• Next message (by thread): AT&T/as7018 now drops invalid prefixes from peers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 12, 2019 at 3:06 PM Nick Hilliard <nick at foobar.org> wrote:
>
> Matthew Walster wrote on 12/02/2019 14:50:
> > For initial deployment, this can seem attractive, but remember that one
> > of the benefits an ROA gives is specifying the maximum prefix length.
> > This means that someone can't hijack a /23 with a /24.
>
> they can if they forge the source ASN.  RPKI helps against misconfigs
> rather than intentional hijackings.

Some networks have AS_PATH filters in place that prevent accepting a
spoofed ASN behind an EBGP session that is not authorized to announce
the spoofed ASN. Secondly, there also is a group of networks that
assign the same local preference for all routes received via peering -
meaning that the use of a spoofed ASN will make the AS_PATH one hop
longer. In other words: everyone should peer directly with the
destination networks that matter to them. This is not news of course.
:-)

I agree some attacks in some cases may still get through, but I've
come to think that ASN spoofing is far less of an issue than I
originally thought it would be.

Kind regards,

Job

• Previous message (by thread): AT&T/as7018 now drops invalid prefixes from peers
• Next message (by thread): AT&T/as7018 now drops invalid prefixes from peers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]