[107216] in North American Network Operators' Group
RE: Revealed: The Internet's well known BGP behavior
daemon@ATHENA.MIT.EDU (John Lee)
Wed Aug 27 23:26:59 2008
From: John Lee <john@internetassociatesllc.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>, NANOG list <nanog@merit.edu>
Date: Wed, 27 Aug 2008 22:22:36 -0500
In-Reply-To: <60A4BF0E-A3DD-4AEA-B8D6-70149FCE1A5F@ianai.net>
Errors-To: nanog-bounces@nanog.org
Patrick,
VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the=
info to be seen.
Rewriting the TTL only hides the number of hop count, trace route will stil=
l show the hops the packet has transited.
John (ISDN) Lee
________________________________________
From: Patrick W. Gilmore [patrick@ianai.net]
Sent: Wednesday, August 27, 2008 11:18 PM
To: NANOG list
Subject: Re: Revealed: The Internet's well known BGP behavior
On Aug 27, 2008, at 11:07 PM, John Lee wrote:
> 1. The technique is not new it is well known BGP behavior and not
> stealthy to people who route for a living.
Using existing technology in novel ways is still novel. Plus it makes
the technique more accessible. (Perhaps that is not a good thing?)
> 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can
> control what packets are going where.
No, you cannot. You can only ensure your end points are the end
points you think they are. In no way, shape, or form do things like
IPsec, SSL, etc. verify or control the intermediate hops.
> 3. When you are running some number of trace routes per hour to see
> how and where your packets are going you spot the additional hops.
The presentation specifically shows hiding the hops by re-writing
TTLs. Perhaps you do not understand this attack as well as you thought?
> 4. If you do cold potatoe routing and know where you peering points
> are and what the acls and peering policies are it is more difficult
> to hijack.
Would that network operators were so diligent.
> And finally you use high speed optical paths or broad band ISDN
> (ATM) why route when you can deterministically switch.
Because people want to be able to reach the entire planet with a
single port and without "deterministically" creating paths to every
single end point.
Why use ISDN (ATM) when you can do something useful?
--
TTFN,
patrick
