[111806] in North American Network Operators' Group
Re: Global Blackhole Service
daemon@ATHENA.MIT.EDU (Jack Bates)
Fri Feb 13 12:33:01 2009
Date: Fri, 13 Feb 2009 11:31:16 -0600
From: Jack Bates <jbates@brightok.net>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20090213121553.1aea266c@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Steven M. Bellovin wrote:
> In other words, a legitimate prefix hijacking service...
>
Absolutely, NOT. The origin AS will still be the AS that controls the IP
space. In fact, I think SBGP would be great for a layout like this to
secure down the injections. That being said, prefix lists with md5 auth
are probably the best we can hope for. Routing registry macro support or
a hashed authorization link sent to whois contacts to automate
modification of the prefix lists would be ideal (not much different that
a provider is *supposed* to do with their BGP customers). Once the peers
is established and limited in scope, they can then start advertising /32
networks into the blockhole server who will pass it on to others.
> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique. You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it. Those two points are *hard*. I also note that the
> scheme as described here is incompatible with more or less any possible
> secured BGP, since by definition it involves an AS that doesn't own a
> prefix advertising a route to it.
I would presume that md5 BGP peering with prefix lists developed based
on public information (whois/routing registry) is about as good as any
of us have it now. Granted, there are places that don't do that, and
that is where we see route hijacking. A service like this would have to
mandate it, to insure any /32 injected into it came from the peer that
is authorized for the network the /32 belongs to. Since the AS_PATH can
be maintained, I don't see an issue with secure BGP. Granted, the
packets themselves won't be taking any path.
Jack Bates
