[147611] in North American Network Operators' Group
RE: Is AS information useful for security?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Thu Dec 15 11:29:45 2011
From: Drew Weaver <drew.weaver@thenap.com>
To: "'Justin M. Streiner'" <streiner@cluebyfour.org>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Thu, 15 Dec 2011 11:28:48 -0500
In-Reply-To: <Pine.LNX.4.64.1112150933310.1202@whammy.cluebyfour.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----Original Message-----
From: Justin M. Streiner [mailto:streiner@cluebyfour.org]=20
Sent: Thursday, December 15, 2011 9:45 AM
To: nanog@nanog.org
Subject: Re: Is AS information useful for security?
>origin-AS could be another story. If you know of an AS that is being used=
by the bad guys for bad purposes, you can write a routing policy to dump a=
ll traffic to/from that AS into the bit bucket or take some other action th=
at could be dictated by your security policy. In that case, a routing poli=
cy could be >considered an extension of a security policy.
I could be wrong here but I believe origin-AS uses a lookup from the routin=
g table to figure out what the originAS for the source IP should be (and no=
t what it explicitly IS) which means the information is unreliable.
For example if someone is sending spoofed packets towards you the origin AS=
will always show up as the originator of the real route instead of the ori=
gin AS of the actual traffic.
This is why it would be useful to have the originAS (from the actual origin=
) in the packet header.
Thanks,
-Drew
