SEAN at SDG.DRA.COM
Thu Apr 15 10:54:20 UTC 1999
>Don't let a route being registered in one of the routing registries lull
>you into a false sense of security (sic), there is zero to very little
>real authentication done on a route registration. It only takes an ounce
>(or less) knowledge to register a route as being originated from any AS.
I have no illusion about the security of the routing registries. However
they do have a couple of nice properties. Route registries show duplicate,
and overlapping route registrations. BGP only shows the "best" routes. This
makes it a bit easier to notice there should be a "better" route. It also
serves as a form of "double-entry accounting," so simple accidents can
Most RRs also maintain some type of audit trail. Which, as you point out,
may or may not have a lot of authentication. For the non-malicious accident,
it tells you who to talk to. For the malicious event, having a second source
of data is helpful. I agree though RRs are less useful for this purpose.
I tend to be a fan of RRs for the double-entry bookeeping reason, not
because of any true authentication. Computers are good at detecting
differences between two sets of data. Computers are not good at deciding
right and wrong. I'm certain the mailing list will now enumerate the
large number of problems of route authentication, and the several proposals
in that area.
>Do I think this is a real problem? It hasn't been so far, probably due to
>our cooperative and trusting nature >;). I think it would take quite some
>resources and reputation killing stupidity (or malice) to inject 'illegal'
>routes and then do something meaningful with them.
I think the answer to this is it may not have been a problem to you, so far.
It is however a continuing problem for others. False route announcements
happen nearly every day. Most don't happen to attract much attention
because many of the victims are small sites, and the false announcements
tend to be transient in nature. So many people just think its the Internet
being flaky again. Often I've found the victim doesn't even realize it
happened to them. False route announcements are popular with some spammers
and crackers because its covers their origins a bit better.
If you do manage to track down a false announcement, the originator always
claims it was an accident. Although an unusually large number of accidential
route announcements seem to originate in Hong Kong. But that may just be
an artifact of the backbone they use, which can't be effectively filtered
due to a lack of route information. The same thing may happen in other
places, but they get filtered out by the routing registry information. They
seem to announce the route for only a few minutes, do their work, and are
gone before anyone notices. The 'slowness' of the routing registry update
process might cause people to notice their activities more. At the present
time even when the backbone security people return my page a couple of
hours later, the false route is gone, and the security folks say they don't
see anything wrong when they look at the net 'now.'
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Affiliation given for identification not representation
More information about the NANOG