[107255] in North American Network Operators' Group
Re: Revealed: The Internet's well known BGP behavior
daemon@ATHENA.MIT.EDU (Randy Bush)
Thu Aug 28 17:15:30 2008
Date: Fri, 29 Aug 2008 09:15:22 +1200
From: Randy Bush <randy@psg.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20080828115630.3feb8f7a@cs.columbia.edu>
Cc: NANOG <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
Steven M. Bellovin wrote:
> On Thu, 28 Aug 2008 10:16:16 -0500
> "Anton Kapela" <tkapela@gmail.com> wrote:
>
>> I thought I'd toss in a few comments, considering it's my fault that
>> few people are understanding this thing yet.
>>
>>>> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <ge@linuxbox.org>
>>>> wrote:
>>>>> People (especially spammers) have been hijacking networks for a
>>>>> while
>> I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED,
>> AFP, and Forbes.
>>
>> We all know sub-prefix hijacking is not news. What is news? Using
>> as-path loop detection to selectively blackhole the hijacked route -
>> which creates a transport path _back to_ the target.
>>
>> That's all it is, nothing more. All but the WIRED follow-up article
>> missed this point *completely.* They over-represented the 'hijacking'
>> aspects, while only making mention of the 'interception' potential.
>>
>> Lets end this thread with the point I had intended two weeks ago:
>> we've presented a method by which all the theory spewed by academics
>> can be actualized in a real network (the big-I internet) to effect
>> interception of data between (nearly) arbitrary endpoints from
>> (nearly) any edge or stub AS. That, I think, is interesting.
>>
> Indeed, and I thank you for it. As noted, I and others have been
> warning about the problem for a long time. You've shown that it isn't
> just an ivory tower exercise; maybe people will now get serious about
> deploying a solution.
>
> To quote Bruce Schneier quoting an NSA maxim, attacks only get better;
> they never get worse. We now have running code of one way to do this.
> I think most NANOG readers can see many more ways to do it. A real
> solution will take years to deploy, but it will never happen if we
> don't start. And we want to have the solution out there *before* we
> see serious attacks on BGP.
>
> Again, thank you -- it was really nice work.
<aol>
