"Is BGP safe yet?" test
Andrey Kostin
ankost at podolsk.ru
Tue Apr 21 17:58:30 UTC 2020
Baldur Norddahl писал 2020-04-21 02:49:
> My company is in Europe. Lets say an attacker joins the IX in Seattle
> a long way from here and a place we definitely are not present at. We
> do however use Hurricane Electric as transit and they are peering
> freely at Seattle. Everyone there thus sees our prefix with an as path
> length of two. The attacker can originate the prefixes himself and
> that way his fake announcements win at Seattle by having the length 1.
> With RPKI he needs to use our ASN to originate and have his own ASN in
> between to facilitate peering. Thus the fake path also has the length
> of two. The real announcement wins by virtue of being the oldest
> announcement and the attack fails.
>
> The situation is even worse for the attacker if he needs an IP transit
> company to pick up the fake announcement. We have Telia, which filters
> invalids, and if the attacker tries to get his fake prefix picked up
> by them, his path will end up being one longer than ours, so he can
> never succeed.
>
> There are of course plenty of situations where the attack still
> succeeds. I am not claiming this is a magical bullet. Just saying it
> might do more than some thinks it will. Definitely better than
> nothing.
>
I think that for peering sessions regular filters can do their job more
directly and effectively. But I see that discussion moved away from
initial topic to general dispute about RPKI usefullness. The initial
topic though initially was about public web page that claimes your
network secure or insecure based on evaluation of only one technology
checking one particular specially crafted prefix.
Kind regards,
Andrey
More information about the NANOG
mailing list