Re: In case anyone hadn't seen this

[Pierre Thibaudeau <prt () Teleglobe CA>]

On Fri, 25 Apr 1997, John W. Stewart III wrote:

>    
>     > The solution to this problem is filtering, which has been known for 
>     > a long time. 
>     > 
>     > The provoders that have been filtering on the customer edge seem to 
>     > have done much better in terms of providing sanitized routes. I am
>     > wondering how many such major outages need to occur in order to 
>     > convince some providers to do customer filtering?
>    
>    i'd argue that filtering is protection against misconfigurations.
>    in practice, the way that filtering is done, it does not protect
>    us from malice; hopefully such attacks would be short-lived
>    because the immediate provider(s) would cut the person off, but
>    even short problems on the scale we're talking about are serious.
>    fortunately most of the wide-scale attacks we've seen have not
>    been within the routing system itself (though some have pounded
>    its infrastructure .. e.g., the low UDP port number attack), but
>    there's always that possibility.  in order for filtering to
>    protect us from malicious attacks within the routing system we
>    need a lot more in the way of authentication for registries and
>    tools built on top of them

Using the of RAWhoisd extended queries(*) it is very easy to build an
accurate access list and an as-path filter as well.

(*) see http://www.ra.net/RADB.tools.docs/rawhoisd.8.html

It is equally simple for anyone having access to a router receiving the
full BGP table to check the consistency of informations found in routing
registries with the actual BGP entries *before* putting a new access list
in action. 

Nothing else is required to inject sound routing information in the BGP
mesh.

>    of course that means a lot of work, so people have to first
>    recognize how fragile some of this stuff is.  today's excitement
>    is a very good example of that fragility
>    
>    to be clear, i am a fan of registries and filtering as they are
>    currently used .. there is no alternative other than chaos.  i
>    just think it's a mistake to think that filtering as we know it
>    now is equivalent to a necessarily robust routing system

All sorts of malicious attacks can give us headaches, but BGP
annoucements, is just like crossing the street: carefully watch for what
is already there and you will be safe. 

>    
>    /jws
>    

__

Pierre Thibaudeau                     |   e-mail: <prt () Teleglobe CA>
TELEGLOBE CANADA                      |
1000, rue de La Gauchetiere ouest     |      Tel: +1-514-868-7257
Montreal, QC   H3B 4X5                |
Canada                                |      fax: +1-514-868-8446



- - - - - - - - - - - - - - - - -