North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: That pesky AS path corruption bug...
On Tue, 23 May 2000, Blaine Christian wrote: > else is free game. Who besides a route-server would want to prepend an > AS besides their own. Who wants to allow customers and perhaps even > peers to send routes prepending an AS that is not their own? FWIW, route servers (at least RSng ones) either prepend their own AS or leave the path information alone. No sane BGP speaker would prepend anything other than its own, its peers (proxy AS prepending) or internal AS numbers for confederation purposes. This isn't to say that "routers" can't diddle with it all they want. If you have access to a BGP session and can muck with AS-paths in routing updates, you have access to a very effective denial of routing attack. The only valid defense against such mucking that I can think of is verifying AS adjacencies against some registry and flagging unknown paths. This is not a cheap thing to do. This, however, is far saner than cryptographically signing all routing updates which is one solution I've heard proposed. :-P -- Jeffrey Haas - Merit RSng project - firstname.lastname@example.org