In case anyone hadn't seen this
John W. Stewart III
jstewart at isi.edu
Fri Apr 25 20:31:26 UTC 1997
my point is that right now authentication is mntner-based and
most access-list generation depends on an as-macro. so what's
to stop me from changing my as-macro to contain a few thousand
ASs and then config'ing my router to announce a zillion
prefixes? filtering as we know it today doesn't protect
against this .. the upstream provider would have to manually
intervene. even if the access-list generation depended on
as-in/as-out policy instead of just as-macros, and the tools
had some knowledge of what ASs were downstream to allow for
AS-path filtering as well as prefix-based, then i could still
just register zillions of prefixes with appropriate origins
and config my router to announce those zillions of prefixes
with appropriate AS-paths
all i'm saying is that parts of the system are fragile and
registries can't be viewed as a silver bullet
/jws
> On Fri, 25 Apr 1997, John W. Stewart III wrote:
>
> >
> > > The solution to this problem is filtering, which has been known for
> > > a long time.
> > >
> > > The provoders that have been filtering on the customer edge seem to
> > > have done much better in terms of providing sanitized routes. I am
> > > wondering how many such major outages need to occur in order to
> > > convince some providers to do customer filtering?
> >
> > i'd argue that filtering is protection against misconfigurations.
> > in practice, the way that filtering is done, it does not protect
> > us from malice; hopefully such attacks would be short-lived
> > because the immediate provider(s) would cut the person off, but
> > even short problems on the scale we're talking about are serious.
> > fortunately most of the wide-scale attacks we've seen have not
> > been within the routing system itself (though some have pounded
> > its infrastructure .. e.g., the low UDP port number attack), but
> > there's always that possibility. in order for filtering to
> > protect us from malicious attacks within the routing system we
> > need a lot more in the way of authentication for registries and
> > tools built on top of them
>
> Using the of RAWhoisd extended queries(*) it is very easy to build an
> accurate access list and an as-path filter as well.
>
> (*) see http://www.ra.net/RADB.tools.docs/rawhoisd.8.html
>
> It is equally simple for anyone having access to a router receiving the
> full BGP table to check the consistency of informations found in routing
> registries with the actual BGP entries *before* putting a new access list
> in action.
>
> Nothing else is required to inject sound routing information in the BGP
> mesh.
>
> > of course that means a lot of work, so people have to first
> > recognize how fragile some of this stuff is. today's excitement
> > is a very good example of that fragility
> >
> > to be clear, i am a fan of registries and filtering as they are
> > currently used .. there is no alternative other than chaos. i
> > just think it's a mistake to think that filtering as we know it
> > now is equivalent to a necessarily robust routing system
>
> All sorts of malicious attacks can give us headaches, but BGP
> annoucements, is just like crossing the street: carefully watch for what
> is already there and you will be safe.
>
> >
> > /jws
> >
>
> __
>
> Pierre Thibaudeau | e-mail: <prt at Teleglobe.CA>
> TELEGLOBE CANADA |
> 1000, rue de La Gauchetiere ouest | Tel: +1-514-868-7257
> Montreal, QC H3B 4X5 |
> Canada | fax: +1-514-868-8446
>
>
>
More information about the NANOG
mailing list