nanog mailing list archives
Re: AT&T/as7018 now drops invalid prefixes from peers
From: Job Snijders <job () instituut net>
Date: Tue, 12 Feb 2019 15:31:13 +0000
On Tue, Feb 12, 2019 at 3:06 PM Nick Hilliard <nick () foobar org> wrote:
Matthew Walster wrote on 12/02/2019 14:50:For initial deployment, this can seem attractive, but remember that one of the benefits an ROA gives is specifying the maximum prefix length. This means that someone can't hijack a /23 with a /24.they can if they forge the source ASN. RPKI helps against misconfigs rather than intentional hijackings.
Some networks have AS_PATH filters in place that prevent accepting a spoofed ASN behind an EBGP session that is not authorized to announce the spoofed ASN. Secondly, there also is a group of networks that assign the same local preference for all routes received via peering - meaning that the use of a spoofed ASN will make the AS_PATH one hop longer. In other words: everyone should peer directly with the destination networks that matter to them. This is not news of course. :-) I agree some attacks in some cases may still get through, but I've come to think that ASN spoofing is far less of an issue than I originally thought it would be. Kind regards, Job
Current thread:
- AT&T/as7018 now drops invalid prefixes from peers Jay Borkenhagen (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Ca By (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers i3D . net - Martijn Schmidt (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Job Snijders (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Jay Borkenhagen (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Niels Raijer (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Matthew Walster (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Nick Hilliard (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Denis Fondras (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Job Snijders (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Matthew Walster (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Nick Hilliard (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Michael Hallgren (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Job Snijders (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Matthew Walster (Feb 12)
- Re: AT&T/as7018 now drops invalid prefixes from peers Owen DeLong (Feb 13)
- Re: AT&T/as7018 now drops invalid prefixes from peers Jay Borkenhagen (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Jay Borkenhagen (Feb 11)
- Re: AT&T/as7018 now drops invalid prefixes from peers Alex Band (Feb 12)