[191387] in North American Network Operators' Group
Re: "Defensive" BGP hijacking?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Sep 12 14:11:40 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <871t0p3sob.fsf@mid.deneb.enyo.de>
Date: Mon, 12 Sep 2016 14:11:36 -0400
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>=20
> * Mel Beckman:
>=20
>> If we can't police ourselves, someone we don't like will do it for =
us.=20
>=20
> That hasn't happened with with IP spoofing, has it? As far as I
> understand it, it is still a major contributing factor in
> denial-of-service attacks. Self-regulation has been mostly
> unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue =
of
BGP filtering.
BGP filtering is feasible in hardware and software today. You can put a =
600k=20
line config on most devices without issues, and automate policy =
generation=20
with a tool like bgpq3 or similar.
Most hardware requires a recirculation of the packet to do a lookup on =
the
source IP address. This means halving your NPU performance of something =
that
hasn=E2=80=99t been in the 40 bytes per packet range for quite some =
time.
- Jared=
