Routing Protocol Security

• Previous message (by thread): Routing Protocol Security
• Next message (by thread): Routing Protocol Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know of several incidents where invalid routing announcements 
were maliciously employed in order to cause reachability problems 
to the destination prefix network.  

It still bugs me that router vendors don't provide the capability 
to support inter-provider filters (read: 10s or 100s of thousands 
of instances).  But heck, some providers still don't even filter 
routing announcements for customer prefixes explicitly.  This is 
a HUGE vulnerability.

Likewise, employing the same set of inter-provider filters at 
the data plane as ingress source filters would suppress the 
bulk of these cheesy spoofed-source address attacks.  This is 
another HUGE vulnerability (providing a solution in hardware
is a bit more difficult -- though not impossible!).  But heck,
some providers still don't employ customer ingress filtering.

Of course, then the vulnerability would be the registries, and 
subsequent components therein.  

The again, at least the former was done many moons ago, though 
wasn't real successful given the network, 24 hour turnarounds, 
etc..  However, things like BGP Route Refresh and the like could
alleviate most of the offshoots  of the time.

Now, back to the router vendor support issue, if that's what
you were soliciting input on...?

-danny
  

• Previous message (by thread): Routing Protocol Security
• Next message (by thread): Routing Protocol Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]