Securing the BGP or controlling it?

Zaid Ali zaid at zaidali.com
Mon May 10 12:32:47 CDT 2010


What we need (as operators) is to get better at ensuring that advertisements
are coming from the valid owner of said address space. What we don't need is
a separate governance model which I worry this article is trying to imply. I
still use RADB but I hear not every peer/provider checks there anymore? This
is hearsay so interested in other opinions.

As far as the mistakes pointed out in this article one can be assured that
these things are bound to happen. The youtube situation could have been
prevented if the peer opening a filter (and responsible for announcing out)
had reach to a system where the other peer's advertisement can be verified.
I don't think leaning on competency is a good way to go about solving this
problem, we need a system or model in place to ensure we have a trust and
verification system.

Zaid


On 5/10/10 9:54 AM, "Thomas Magill" <tmagill at providecommerce.com> wrote:

> All of the major providers I have worked with have required proof of
> 'ownership' of address space or an LoA from the registered holder of that
> space before they would allow advertisements from me, which are then filtered.
> Is this not the norm?  I can understand if they are talking about an operator
> making a mistake, but the article seems to imply that anyone running BGP can
> bring down the Internet...  I think any competent provider can easily
> eliminate this threat from customers.  Are there any types of penalties if an
> ISP is found to not be taking adequate precautions, other than the possible
> threat of losing business?
> 
> -----Original Message-----
> From: Franck Martin [mailto:franck at genius.com]
> Sent: Monday, May 10, 2010 9:48 AM
> To: nanog at nanog.org
> Subject: Re: Securing the BGP or controlling it?
> 
> APNIC allows you to put your BGP data in the whois, so like this you have a
> third party verification tool on who is peering with who.
> 






More information about the NANOG mailing list