"Is BGP safe yet?" test

Tue Apr 21 06:49:20 UTC 2020

tir. 21. apr. 2020 07.38 skrev Saku Ytti <saku at ytti.fi>:

> On Tue, 21 Apr 2020 at 01:02, Baldur Norddahl <baldur.norddahl at gmail.com>
> wrote:
>
> > Yes but that makes the hijacked AS path length at least 1 longer which
> makes it less likely that it can win over the true announcement. It is
> definitely better than nothing.
>
> Attacker has no incentive to honor existing AS path, attacker can
> rewrite it as they wish.
>

My company is in Europe. Lets say an attacker joins the IX in Seattle a
long way from here and a place we definitely are not present at. We do
however use Hurricane Electric as transit and they are peering freely at
Seattle. Everyone there thus sees our prefix with an as path length of two.
The attacker can originate the prefixes himself and that way his fake
announcements win at Seattle by having the length 1. With RPKI he needs to
use our ASN to originate and have his own ASN in between to facilitate
peering.  Thus the fake path also has the length of two. The real
announcement wins by virtue of being the oldest announcement and the attack
fails.

The situation is even worse for the attacker if he needs an IP transit
company to pick up the fake announcement. We have Telia, which filters
invalids, and if the attacker tries to get his fake prefix picked up by
them, his path will end up being one longer than ours, so he can never
succeed.

There are of course plenty of situations where the attack still succeeds. I
am not claiming this is a magical bullet. Just saying it might do more than
some thinks it will. Definitely better than nothing.

Regards
Baldur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200421/7f98df4f/attachment.html>