Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)

• Previous message (by thread): Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
• Next message (by thread): Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This attack will work very well until the victim starts advertising
its prefix. The victim may not notice the fake advertisement because the fake
advertisement will not reach the victim AS due to AS-path loop checking.

So potential victims must advertise all prefixes that they register in
RPKI or subscribe to an Internet monitoring service to detect the
fake advertisements.

And don't forget maxlen. You must advertise in BGP every prefix
covered by maxlen.

Regards,
Jakob.

-----Original Message-----
From: Saku Ytti <saku at ytti.fi>

On Tue, 24 May 2022 at 11:23, Max Tulyev <maxtul at netassist.ua> wrote:

> To make a working hijack of the routed prefix (for sniffing traffic,
> DDoS or something similar), you have to announce a more specific
> prefix(es). It can be denied by RPKI.
>
> If you signed RPKI prefix is still unannounced - yes, somebody can
> hijack it by forging the origin ASN - that's quite easy.

This axiomatically assumes first come, first serve, which is obviously
not complete understanding of BGP best path algorithm.

-- 
  ++ytti

• Previous message (by thread): Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
• Next message (by thread): Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]