"Defensive" BGP hijacking?

Jared Mauch jared at puck.nether.net
Mon Sep 12 18:11:36 UTC 2016

> On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Mel Beckman:
>> If we can't police ourselves, someone we don't like will do it for us. 
> That hasn't happened with with IP spoofing, has it?  As far as I
> understand it, it is still a major contributing factor in
> denial-of-service attacks.  Self-regulation has been mostly
> unsuccessful, and yet nothing has happened on the political level.

IP spoofing filtering is more of a technical issue than the social issue of
BGP filtering.

BGP filtering is feasible in hardware and software today.  You can put a 600k 
line config on most devices without issues, and automate policy generation 
with a tool like bgpq3 or similar.

Most hardware requires a recirculation of the packet to do a lookup on the
source IP address.  This means halving your NPU performance of something that
hasn’t been in the 40 bytes per packet range for quite some time.

- Jared

More information about the NANOG mailing list