Routing Protocol Security
Danny McPherson
danny at tcb.net
Tue Aug 13 18:42:10 UTC 2002
I know of several incidents where invalid routing announcements
were maliciously employed in order to cause reachability problems
to the destination prefix network.
It still bugs me that router vendors don't provide the capability
to support inter-provider filters (read: 10s or 100s of thousands
of instances). But heck, some providers still don't even filter
routing announcements for customer prefixes explicitly. This is
a HUGE vulnerability.
Likewise, employing the same set of inter-provider filters at
the data plane as ingress source filters would suppress the
bulk of these cheesy spoofed-source address attacks. This is
another HUGE vulnerability (providing a solution in hardware
is a bit more difficult -- though not impossible!). But heck,
some providers still don't employ customer ingress filtering.
Of course, then the vulnerability would be the registries, and
subsequent components therein.
The again, at least the former was done many moons ago, though
wasn't real successful given the network, 24 hour turnarounds,
etc.. However, things like BGP Route Refresh and the like could
alleviate most of the offshoots of the time.
Now, back to the router vendor support issue, if that's what
you were soliciting input on...?
-danny
More information about the NANOG
mailing list