[194871] in North American Network Operators' Group
Re: IPv4 Hijacking For Idiots
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Jun 6 12:09:14 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <115957cb-34f8-e2ee-b53b-12b3d5842521@efes.iucc.ac.il>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 6 Jun 2017 12:09:08 -0400
To: Hank Nussbacher <hank@efes.iucc.ac.il>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Jun 6, 2017 at 2:25 AM, Hank Nussbacher <hank@efes.iucc.ac.il>
wrote:
(I think this is really Ron and Bill chatting, but some of the linkage got
lost on the tubes)
> >
> > I've read article after article after article bemoanging the fact that
> >> "BGP isn't secure",
> >
> > They're talking about a different problem: ISPs are supposed to configure
> > end-user BGP sessions per BCP38 which limits which BGP announcements the
> > customer can make. Some ISPs are sloppy and incompetent and don't do
> this.
> > Unfortunately, once you're a level or two upstream the backbone ISP
> > actually can't do much to limit the BGP announcements because it's often
> > impractical to determine whether a block of IP addresses can legitimately
> > be announced from a given peer.
>
just a clarifying note: I don't think bcp38 talks about BGP at all,
actually...
I think bill is actually saying:
"ISPs are supposed to configure bcp38 to filter TRAFFIC from their
customers/peers and BGP filters to limit the scope of the customer routes
sent/received"
I don't think the filtering of customer prefixes/announcements is actually
covered in a BCP though.
