"Defensive" BGP hijacking?
jared at puck.nether.net
Mon Sep 12 18:11:36 UTC 2016
> On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Mel Beckman:
>> If we can't police ourselves, someone we don't like will do it for us.
> That hasn't happened with with IP spoofing, has it? As far as I
> understand it, it is still a major contributing factor in
> denial-of-service attacks. Self-regulation has been mostly
> unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue of
BGP filtering is feasible in hardware and software today. You can put a 600k
line config on most devices without issues, and automate policy generation
with a tool like bgpq3 or similar.
Most hardware requires a recirculation of the packet to do a lookup on the
source IP address. This means halving your NPU performance of something that
hasn’t been in the 40 bytes per packet range for quite some time.
More information about the NANOG