North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
the problems being solved -- or not
On Mon, 23 May 2005, Tony Li wrote:
I think it's also worth considering where we expect this mechanism to be deployed to be useful.Which is EXACTLY why we need to remember that we are NOT trying to come up with the perfect solution. We have operational issues *TODAY* that we are trying to address. - We have people (admittedly accidentally) advertising prefixes that they do not own and thereby overloading BGP. See the talk at the latest NANOG. - We have people intentionally out there forging /24's as an attack. - We have OTHER people out there flooding the networks with their /24's so that they are less vulnerable to attack by forged /24's, and thereby exacerbating the BGP overload problem.
Let's take RIPE, RADB, etc. databases as an example. Apparently we can't count on the ISPs filtering out crap from their customers, because otherwise we'd never have had these attack. Also apparently, we can't count on the transit ISPs from weeding out the cruft that their ISPs spew in their direction and then to everyone else.
Let's look at Tony's points above. These solutions cannot deal with the last case, i.e., the "owner" of the prefix decides to advertise more specifics (and the ISPs pass that crap through). Then we're left with attacks where someone else advertises an equal route, or someone advertises a more specific.
So, what can you do? Everyone must process their incoming full Internet feed and filter out bogus advertisements. Prefix lists based on RIPE, RADB, etc. could block the more specific, but not an equal length prefix.
It certainly seems that "hardened BGP" doesn't do much good for the ISP-endsite security, and little good for transit-ISP security..
So, I guess I must ask -- if prefix lists haven't been deployed, why would this be?
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings