the problems being solved -- or not
Pekka Savola
pekkas at netcore.fi
Tue May 24 07:07:28 UTC 2005
On Mon, 23 May 2005, Tony Li wrote:
> Which is EXACTLY why we need to remember that we are NOT trying to come
> up with the perfect solution. We have operational issues *TODAY* that
> we are trying to address.
>
> - We have people (admittedly accidentally) advertising prefixes that
> they do not own and thereby overloading BGP. See the talk at the
> latest NANOG.
>
> - We have people intentionally out there forging /24's as an attack.
>
> - We have OTHER people out there flooding the networks with their /24's
> so that they are less vulnerable to attack by forged /24's, and
> thereby exacerbating the BGP overload problem.
I think it's also worth considering where we expect this mechanism to
be deployed to be useful.
Let's take RIPE, RADB, etc. databases as an example. Apparently we
can't count on the ISPs filtering out crap from their customers,
because otherwise we'd never have had these attack. Also apparently,
we can't count on the transit ISPs from weeding out the cruft that
their ISPs spew in their direction and then to everyone else.
Let's look at Tony's points above. These solutions cannot deal with
the last case, i.e., the "owner" of the prefix decides to advertise
more specifics (and the ISPs pass that crap through). Then we're left
with attacks where someone else advertises an equal route, or someone
advertises a more specific.
So, what can you do? Everyone must process their incoming full
Internet feed and filter out bogus advertisements. Prefix lists based
on RIPE, RADB, etc. could block the more specific, but not an equal
length prefix.
It certainly seems that "hardened BGP" doesn't do much good for the
ISP-endsite security, and little good for transit-ISP security..
So, I guess I must ask -- if prefix lists haven't been deployed, why
would this be?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list