[EXTERNAL] Re: Yet another BGP hijacking towards AS16509
job at fastly.com
Tue Aug 23 18:07:29 UTC 2022
On Tue, Aug 23, 2022 at 05:18:42PM +0000, Compton, Rich A wrote:
> I was under the impression that ASPA could prevent route leaks as well
> as path spoofing. This "BGP Route Security Cycling to the Future!"
> presentation from NANOG seems to indicate this is the case:
I'm not sure how ASPA can prevent AS Path spoofing. Perhaps something
got lost in translation?
ASPA records are published in the RPKI, from there a RPKI RP transforms
the ASN.1/X.509/crypto stuff into something 'plain text'. This 'plain
text' data is loaded into EBGP routers via RTR, which then compare the
*plain text* AS_PATH attribute to the table of plain-text ASPA records,
to determine if it came via an authorized upstream provider or not.
In this sense, ASPA (just by itself) suffers the same challenge as RPKI
ROA-based Origin Validation: the input (the BGP AS_PATH) is unsigned and
unsecured; thus spoofable.
> Also, can't the path spoofing protection that BGPsec provides be
> defeated by an attacker advertising a hijacked prefix with a forged
> AS_PATH without BGPsec?
An attacker certainly can try to announce hijacked prefixes with a
forged AS_PATH (knowing that BGPsec-protected paths also exist). But the
attacker has no influence on the local routing policy of other networks.
I imagine that in a 'partial BGPsec' deployment future some operators
might opt to assign a higher LOCAL_PREF to BGPSec secured paths; or
apply a form of 'peerlock' ("I only accept routes with so-and-so ASN if
seen via BGPsec secured paths); this is an area of future study.
> In order to get around this vulnerability, all of the Internet would
> have to only perform BGPsec which doesn't seem realistic.
The vulnerability is "if the operator configures their routers to use
non-signed paths, the operator choose to use a non-signed path" (I hope
this makes sense).
> Security solutions where everyone has to implement the control before
> it works effectively are rarely adopted.
Fully agreed. Fortunately, I see a number of scenarios in which a partial
deployment of BGPsec benefits those who deployed it. Ultimately BGPsec
deployment is a 'selfish' act, as in that the benefits are immediate to
the two adjacent networks using BGPsec to protect the paths between
Perhaps I should prepare a NANOG presentation to outline why BGPsec does
not require 100% deployment to be beneficial?
More information about the NANOG