[50886] in North American Network Operators' Group
Re: Routing Protocol Security
daemon@ATHENA.MIT.EDU (Danny McPherson)
Tue Aug 13 14:45:35 2002
To: "Jeff Doyle" <jdoyle@juniper.net>
Cc: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Date: Tue, 13 Aug 2002 12:42:10 -0600
Errors-To: owner-nanog-outgoing@merit.edu
I know of several incidents where invalid routing announcements
were maliciously employed in order to cause reachability problems
to the destination prefix network.
It still bugs me that router vendors don't provide the capability
to support inter-provider filters (read: 10s or 100s of thousands
of instances). But heck, some providers still don't even filter
routing announcements for customer prefixes explicitly. This is
a HUGE vulnerability.
Likewise, employing the same set of inter-provider filters at
the data plane as ingress source filters would suppress the
bulk of these cheesy spoofed-source address attacks. This is
another HUGE vulnerability (providing a solution in hardware
is a bit more difficult -- though not impossible!). But heck,
some providers still don't employ customer ingress filtering.
Of course, then the vulnerability would be the registries, and
subsequent components therein.
The again, at least the former was done many moons ago, though
wasn't real successful given the network, 24 hour turnarounds,
etc.. However, things like BGP Route Refresh and the like could
alleviate most of the offshoots of the time.
Now, back to the router vendor support issue, if that's what
you were soliciting input on...?
-danny
