the problems being solved -- or not

Pekka Savola pekkas at netcore.fi
Tue May 24 07:07:28 UTC 2005 

On Mon, 23 May 2005, Tony Li wrote:
> Which is EXACTLY why we need to remember that we are NOT trying to come
> up with the perfect solution.  We have operational issues *TODAY* that
> we are trying to address.
>
> - We have people (admittedly accidentally) advertising prefixes that
>  they do not own and thereby overloading BGP.  See the talk at the
>  latest NANOG.
>
> - We have people intentionally out there forging /24's as an attack.
>
> - We have OTHER people out there flooding the networks with their /24's
>  so that they are less vulnerable to attack by forged /24's, and
>  thereby exacerbating the BGP overload problem.

I think it's also worth considering where we expect this mechanism to 
be deployed to be useful.

Let's take RIPE, RADB, etc. databases as an example.  Apparently we 
can't count on the ISPs filtering out crap from their customers, 
because otherwise we'd never have had these attack.  Also apparently, 
we can't count on the transit ISPs from weeding out the cruft that 
their ISPs spew in their direction and then to everyone else.

Let's look at Tony's points above.  These solutions cannot deal with 
the last case, i.e., the "owner" of the prefix decides to advertise 
more specifics (and the ISPs pass that crap through).  Then we're left 
with attacks where someone else advertises an equal route, or someone 
advertises a more specific.

So, what can you do?  Everyone must process their incoming full 
Internet feed and filter out bogus advertisements.  Prefix lists based 
on RIPE, RADB, etc. could block the more specific, but not an equal 
length prefix.

It certainly seems that "hardened BGP" doesn't do much good for the 
ISP-endsite security, and little good for transit-ISP security..

So, I guess I must ask -- if prefix lists haven't been deployed, why 
would this be?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the NANOG mailing list