Secure BGP (Was: YouTube IP Hijacking)
Jeroen Massar
jeroen at unfix.org
Mon Feb 25 11:04:18 UTC 2008
michael.dillon at bt.com wrote:
[..]
> Pushing this task off to a server that does not have packet-forwarding
> duties also allows for flexible interfaces to network management
> systems including the possibility of asking for human confirmation
> before announcing a new route.
There is no (direct) requirement for most of these solutions to do it in
the router that forwards actual packets, just add a special BGP box for
this. This box then 'verifies' if the update looks OK. When the update
looks fishy, it can either, depending on what you want either notify
your favourite $nocmonkey to look at it and/or at least instruct the
real routers to not use that path.
You can take (S-)BGP(-S) for verification, but you can also use IRR data
or whatever source you have for stating 'this prefix from there over
this path is trusted', compare against that and voila, you got a report
when the assumed vectors don't match and you can at least react to them.
These kind of systems already exist, see previous emails, but clearly
not too many actually make use of them, now that is too bad for your
customers who couldn't see their lolcats or worse who couldn't reach
their stock house for quickly selling their shares before that company
went down the drain completely...
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080225/3e488236/attachment.sig>
More information about the NANOG
mailing list