"Is BGP safe yet?" test

Baldur Norddahl baldur.norddahl at gmail.com
Mon Apr 20 21:59:16 UTC 2020


On Mon, Apr 20, 2020 at 9:09 PM Randy Bush <randy at psg.com> wrote:

> but it provides almost zero protection against malicious attack.  the
> attacker merely has to prepend (in the formal, not cisco display) the
> 'correct' origin AS to their malicious announcement.
>
>
Yes but that makes the hijacked AS path length at least 1 longer which
makes it less likely that it can win over the true announcement. It is
definitely better than nothing.

Also AS number filtering might be more prevalent than prefix filtering. If
I know which origin ASNs I can accept from a peer and filter on that, then
RPKI will prevent them from faking protected prefixes.

Regards,

Baldur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200420/31de3551/attachment.html>


More information about the NANOG mailing list