North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Revealed: The Internet's well known BGP behavior
- From: Gadi Evron
- Date: Thu Aug 28 05:03:27 2008
On Wed, 27 Aug 2008, Patrick W. Gilmore wrote:
On Aug 27, 2008, at 11:07 PM, John Lee wrote:
1. The technique is not new it is well known BGP behavior and not stealthy
to people who route for a living.
Using existing technology in novel ways is still novel. Plus it makes the
technique more accessible. (Perhaps that is not a good thing?)
People (especially spammers) have been hijacking networks for a while now,
maybe now that we have a presentation to whore around, operators can
pressure vendors and bosses.
2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what
packets are going where.
No, you cannot. You can only ensure your end points are the end points you
think they are. In no way, shape, or form do things like IPsec, SSL, etc.
verify or control the intermediate hops.
3. When you are running some number of trace routes per hour to see how and
where your packets are going you spot the additional hops.
The presentation specifically shows hiding the hops by re-writing TTLs.
Perhaps you do not understand this attack as well as you thought?
4. If you do cold potatoe routing and know where you peering points are and
what the acls and peering policies are it is more difficult to hijack.
Would that network operators were so diligent.
And finally you use high speed optical paths or broad band ISDN (ATM) why
route when you can deterministically switch.
Because people want to be able to reach the entire planet with a single port
and without "deterministically" creating paths to every single end point.
Why use ISDN (ATM) when you can do something useful?