BGP related question
Otis L. Surratt, Jr.
otis at ocosa.com
Thu Aug 1 16:31:06 UTC 2013
From: Shah, Parthiv [mailto:Parthiv.Shah at theclearinghouse.org]
Sent: Thursday, August 01, 2013 9:00 AM
To: nanog at nanog.org
Subject: BGP related question
>1) I would like to understand how can we detect and potentially
prevent activities like this? I understand native BGP was not design to
authenticate IP owners to the BGP broadcaster. Therefore, issues like
this due to a human error would happen. How >can activities like this be
detected as this is clearly a threat if someone decides to broadcast IP
networks of an organization and knock the real org. off the Net.
The most basic short answer would be use of proper filtering and LOAs.
Transit providers should be checking whether or not customers have
permission to act as a transit provider for prefixes or originate the
prefixes not registered to them by the RIRs.
If every operator would have controls in place to ensure folks are
originating the routes they are supposed to then you wouldn't have a
problem. However, it seems the best course of action is to implement
"checks and balances" internally to each organization which usually
prevents all together or mitigate things as much as possible. Human
error is inevitable. We have outside monitoring (bgpmon) for our
>2) In reference to prevention, I recall there were discussions about
secure BGP (S-BGP), Pretty Good BGP, or Secure Original BGP but I don't
remember if any one of them was finalized (from practicality viewpoint)
and if any one of them is >implementable/enforceable by ISPs (do anyone
have any insight)?
If I had to pick one based on practicality it would be secure original
BGP. You can create a fairly secure BGP session by using multiple
mechanisms (prefix lists/filters/routemaps, password, iACL,
TTL-security, AS limits etc.)
However, there are caveats to anything.
More information about the NANOG