[102714] in North American Network Operators' Group
Re: Secure BGP (Was: YouTube IP Hijacking)
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Mon Feb 25 06:17:46 2008
Date: Mon, 25 Feb 2008 12:04:18 +0100
From: Jeroen Massar <jeroen@unfix.org>
To: michael.dillon@bt.com
CC: nanog@merit.edu
In-Reply-To: <D03E4899F2FB3D4C8464E8C76B3B68B00203B5C1@E03MVC4-UKBR.domain1.systemhost.net>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD34FC1E48246119BB0063739
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
michael.dillon@bt.com wrote:
[..]
> Pushing this task off to a server that does not have packet-forwarding
> duties also allows for flexible interfaces to network management
> systems including the possibility of asking for human confirmation
> before announcing a new route.
There is no (direct) requirement for most of these solutions to do it in =
the router that forwards actual packets, just add a special BGP box for=20
this. This box then 'verifies' if the update looks OK. When the update=20
looks fishy, it can either, depending on what you want either notify=20
your favourite $nocmonkey to look at it and/or at least instruct the=20
real routers to not use that path.
You can take (S-)BGP(-S) for verification, but you can also use IRR data =
or whatever source you have for stating 'this prefix from there over=20
this path is trusted', compare against that and voila, you got a report=20
when the assumed vectors don't match and you can at least react to them.
These kind of systems already exist, see previous emails, but clearly=20
not too many actually make use of them, now that is too bad for your=20
customers who couldn't see their lolcats or worse who couldn't reach=20
their stock house for quickly selling their shares before that company=20
went down the drain completely...
Greets,
Jeroen
--------------enigD34FC1E48246119BB0063739
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHwqC1KaooUjM+fCMRAkHfAJ0cAq/MTKy3jzMHnNy5z494mYdb2wCdHEoo
5qbYi9aVT+BYuZ+f0UBnOdo=
=qkol
-----END PGP SIGNATURE-----
--------------enigD34FC1E48246119BB0063739--
