Dodgy AS327933 ...?
ayang at august.tw
ayang at august.tw
Fri Aug 11 20:30:16 UTC 2023
BGP was indeed designed in an era when trust was implicit. Introducing
ASPA to sign a cryptographic list of authorized providers steps in the
right direction. By validating both AS_PATH and route origin, the
chances of BGP hijack and misconfigurations can be substantially
reduced.
https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/
On 2023-08-11 13:51, Mark Tinka wrote:
> On 8/11/23 12:56, Nick Hilliard wrote:
>
>>
>> bgp is a policy based distance vector protocol. If you can't adjust
>> the primary inter-domain metric to handle your policy requirements,
>> it's not much use.
>
> I am not talking about appending one's own AS in the AS_PATH. I am
> talking about appending someone else's AS in the AS_PATH.
>
> To be fair, I have never had to do that, since I've always thought it
> would be considered bad form. But I suspect that on the simple BGP
> mechanics of it, no vendor would be able to prevent that in any
> meaningful way.
>
> Then again, path hijacking likely wasn't a thought at the time the
> Border Gateway Protocol was being conceived.
>
> Mark.
--
August
More information about the NANOG
mailing list