BGP more specific prefixes

mauricio elelgrande maurielelgrande at gmail.com
Sat Aug 30 08:21:00 UTC 2008


Sorry for sending this "huge" mail :-)

At this moment we have a very simple multihomed ASN with a /20 prefix
(x.y.0.0/20) like many other companys in the world.

Some days ago, a BGP issue was announced about "IP hijacking".
OK, we understand that this is some "new" because the traffic is also sent
back to the "real owner" of the block.

What kind of security can we have (and all internet providers) about that
there is nobody announcing a subset of their prefix or a subset of their
customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow?
Of course, we know about prefix monitoring tools (from RIPE and others)
but... it is the best solution?

Or simply anyone can announce the /24 prefix that he want "capturing" that
/24 prefix (of course if the "normal" prefix is smaller than that (i.e.
/16))?
In other words... can anybody "capture" the /24 prefix that he want?

For example, what hapens if somebody announces a /24 from company "A"
meanwhile the "normal" valid prefix of company "A"is a /16 and directs it to
null0?
That /24 is "shutted down".
That is not the "new IP hijacking" issue because the traffic is not sent
back to company "A".

The question is very simply, It is very very difficult for me to believe
that anybody can "shutdown" the /24 network that he wants in the world.
I am right?
Or may be that simply internet works like this and the providers are very
careful about what accepts from their customers and what announces to other
providers?
I don't know the details of how internet providers work, but I know that
when we made our multihoming for our ASN both providers did not setup the
BGP session until we have created the "route object" in RIPE that makes a
relationship between our ASN and our prefix. Also both providers have made
filters in order to accept only our prefix in our BGP session.

In other words... There is anybody in internet that can be sure that their
traffic (traffic destined to their prefix)  is not going to be "stoled"?
If yes... how?
Keep in mind that announcing the same prefixes than the attacker will not
solve totally the problem because it is only a partial solution.

If announcing a more specific /24 network is so easy... why does this not
happen every day (for example for shutting down competitors sites)?

Best regards



More information about the NANOG mailing list