nanog mailing list archives
RE: BGP related question
From: "Otis L. Surratt, Jr." <otis () ocosa com>
Date: Thu, 1 Aug 2013 11:31:06 -0500
-----Original Message----- From: Shah, Parthiv [mailto:Parthiv.Shah () theclearinghouse org] Sent: Thursday, August 01, 2013 9:00 AM To: nanog () nanog org Subject: BGP related question
1) I would like to understand how can we detect and potentially
prevent activities like this? I understand native BGP was not design to authenticate IP owners to the BGP broadcaster. Therefore, issues like this due to a human error would happen. How >can activities like this be detected as this is clearly a threat if someone decides to broadcast IP networks of an organization and knock the real org. off the Net. The most basic short answer would be use of proper filtering and LOAs. Transit providers should be checking whether or not customers have permission to act as a transit provider for prefixes or originate the prefixes not registered to them by the RIRs. If every operator would have controls in place to ensure folks are originating the routes they are supposed to then you wouldn't have a problem. However, it seems the best course of action is to implement "checks and balances" internally to each organization which usually prevents all together or mitigate things as much as possible. Human error is inevitable. We have outside monitoring (bgpmon) for our prefixes.
2) In reference to prevention, I recall there were discussions about
secure BGP (S-BGP), Pretty Good BGP, or Secure Original BGP but I don't remember if any one of them was finalized (from practicality viewpoint) and if any one of them is >implementable/enforceable by ISPs (do anyone have any insight)? If I had to pick one based on practicality it would be secure original BGP. You can create a fairly secure BGP session by using multiple mechanisms (prefix lists/filters/routemaps, password, iACL, TTL-security, AS limits etc.) However, there are caveats to anything.
Current thread:
- BGP related question Shah, Parthiv (Aug 01)
- Re: BGP related question chip (Aug 01)
- RE: BGP related question Otis L. Surratt, Jr. (Aug 01)
- Re: BGP related question Andree Toonk (Aug 01)