Secure BGP (Was: YouTube IP Hijacking)

• Previous message (by thread): Secure BGP (Was: YouTube IP Hijacking)
• Next message (by thread): Secure BGP (Was: YouTube IP Hijacking)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

michael.dillon at bt.com wrote:
[..]
> Pushing this task off to a server that does not have packet-forwarding
> duties also allows for flexible interfaces to network management
> systems including the possibility of asking for human confirmation
> before announcing a new route.

There is no (direct) requirement for most of these solutions to do it in 
the router that forwards actual packets, just add a special BGP box for 
this. This box then 'verifies' if the update looks OK. When the update 
looks fishy, it can either, depending on what you want either notify 
your favourite $nocmonkey to look at it and/or at least instruct the 
real routers to not use that path.

You can take (S-)BGP(-S) for verification, but you can also use IRR data 
or whatever source you have for stating 'this prefix from there over 
this path is trusted', compare against that and voila, you got a report 
when the assumed vectors don't match and you can at least react to them.

These kind of systems already exist, see previous emails, but clearly 
not too many actually make use of them, now that is too bad for your 
customers who couldn't see their lolcats or worse who couldn't reach 
their stock house for quickly selling their shares before that company 
went down the drain completely...

Greets,
  Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080225/3e488236/attachment.sig>

• Previous message (by thread): Secure BGP (Was: YouTube IP Hijacking)
• Next message (by thread): Secure BGP (Was: YouTube IP Hijacking)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]