Global Blackhole Service
jbates at brightok.net
Fri Feb 13 17:31:16 UTC 2009
Steven M. Bellovin wrote:
> In other words, a legitimate prefix hijacking service...
Absolutely, NOT. The origin AS will still be the AS that controls the IP
space. In fact, I think SBGP would be great for a layout like this to
secure down the injections. That being said, prefix lists with md5 auth
are probably the best we can hope for. Routing registry macro support or
a hashed authorization link sent to whois contacts to automate
modification of the prefix lists would be ideal (not much different that
a provider is *supposed* to do with their BGP customers). Once the peers
is established and limited in scope, they can then start advertising /32
networks into the blockhole server who will pass it on to others.
> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique. You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it. Those two points are *hard*. I also note that the
> scheme as described here is incompatible with more or less any possible
> secured BGP, since by definition it involves an AS that doesn't own a
> prefix advertising a route to it.
I would presume that md5 BGP peering with prefix lists developed based
on public information (whois/routing registry) is about as good as any
of us have it now. Granted, there are places that don't do that, and
that is where we see route hijacking. A service like this would have to
mandate it, to insure any /32 injected into it came from the peer that
is authorized for the network the /32 belongs to. Since the AS_PATH can
be maintained, I don't see an issue with secure BGP. Granted, the
packets themselves won't be taking any path.
More information about the NANOG