RE: Wow, AS7007!

[Dave Van Allen <dave () fast net>]

> -----Original Message-----
> From:  Stephen A Misel [SMTP:stevem () hway net]
> Sent:  Friday, April 25, 1997 12:53 PM
> To:    nanog () merit edu
> Subject:       Wow, AS7007!
>
> I happened to be in one of our 7505 routers this afternoon when POP -- all
> of a sudden most of the internet disappeared!  I immediately thought it was
> me, but looked around and saw this AS7007 broadcasting MY routes!  
>
> [...]
>
> Correct me if I'm wrong, but:
>
>       (1)  We're going to read about this in EVERY computer magazine, newspaper
> and TV as "the end of the internet?"
>
> Probably. It's newsworthy in that it punctuates the statement "Nearly anyone
> with a BGP router in hand can instantly core-dump the global routing tables"
>
>       (2)  Access lists by backbone providers *should* have prevented this.
>
> Mostly.  An ISP, whether large or small that BGP's with customers can indeed
> do distribute ACL's both on AS heard, and routes learned, including masks.
> You can easily re-announce or announce only what you want, or not announce or
> re-announce routes that are inconsistent with your policy or ACL's.
>
>       (3)  Does or does not the RADB and other routing registries (MCI's, etc)
> prevent this?
>
> It helps, but all you need are a few ingress' that do not filter and you can
> pollute enough of the core to hose it very nicely indeed.
>
> I bet this hole will be patched up real soon!
>
> I don't think so.  I'm not sure that this is as much a "hole" as it is a
> relationship and trust issue.  Right now, when things go OK, the routing
> policies on Net work pretty well.  Unarguably, they need refining, but
> all-in-all the Net still relies mostly on trust, as it has from the
> beginning.  If we simply take all trust away, then the current topology would
> not work, and may not be able to be made to work quickly enough, without even
> more disasters.
>
> This exact thing has happened before, and potentially will happen again
> because all it can take is one typo under 'router bgp xxxxx' at the right
> place, in the right network, and the Internet can go quickly to /dev/null.
> This is the trust factor.  We all rely on the fact that router-jocks won't
> typo, will filter where appropriate, and will educate rookies prior to
> whispering the enable passwd to them.
>
> A few things would help, IMO - All BGP should be authenticated, and all
> neighbors should be ACL'd.
>
> Now after spending 4 hours announcing more specifics to cover the bogon
> routes so we could play Internet today for a bit, it's time to be a
> good-netcitizen and see if I can't re-CIDR myself.  Then it's off to the
> Scotch locker! :-)
>
>
> Best regards,
>
> Dave Van Allen - You Tools Corporation/FASTNET(tm)
> dave () fast net (610)289-1100 http://www.fast.net
> FASTNET - PA/NJ/DE Business Internet Solutions
- - - - - - - - - - - - - - - - -