[8826] in North American Network Operators' Group
Re: In case anyone hadn't seen this
daemon@ATHENA.MIT.EDU (Pierre Thibaudeau)
Fri Apr 25 16:42:53 1997
Date: Fri, 25 Apr 1997 16:14:38 -0400 (EDT)
From: Pierre Thibaudeau <prt@Teleglobe.CA>
Reply-To: Pierre Thibaudeau <prt@Teleglobe.CA>
To: "John W. Stewart III" <jstewart@isi.edu>
Cc: Enke Chen <enkechen@cisco.com>, nanog@merit.edu
In-Reply-To: <199704251921.PAA20742@central-services.east.isi.edu>
On Fri, 25 Apr 1997, John W. Stewart III wrote:
>
> > The solution to this problem is filtering, which has been known for
> > a long time.
> >
> > The provoders that have been filtering on the customer edge seem to
> > have done much better in terms of providing sanitized routes. I am
> > wondering how many such major outages need to occur in order to
> > convince some providers to do customer filtering?
>
> i'd argue that filtering is protection against misconfigurations.
> in practice, the way that filtering is done, it does not protect
> us from malice; hopefully such attacks would be short-lived
> because the immediate provider(s) would cut the person off, but
> even short problems on the scale we're talking about are serious.
> fortunately most of the wide-scale attacks we've seen have not
> been within the routing system itself (though some have pounded
> its infrastructure .. e.g., the low UDP port number attack), but
> there's always that possibility. in order for filtering to
> protect us from malicious attacks within the routing system we
> need a lot more in the way of authentication for registries and
> tools built on top of them
Using the of RAWhoisd extended queries(*) it is very easy to build an
accurate access list and an as-path filter as well.
(*) see http://www.ra.net/RADB.tools.docs/rawhoisd.8.html
It is equally simple for anyone having access to a router receiving the
full BGP table to check the consistency of informations found in routing
registries with the actual BGP entries *before* putting a new access list
in action.
Nothing else is required to inject sound routing information in the BGP
mesh.
> of course that means a lot of work, so people have to first
> recognize how fragile some of this stuff is. today's excitement
> is a very good example of that fragility
>
> to be clear, i am a fan of registries and filtering as they are
> currently used .. there is no alternative other than chaos. i
> just think it's a mistake to think that filtering as we know it
> now is equivalent to a necessarily robust routing system
All sorts of malicious attacks can give us headaches, but BGP
annoucements, is just like crossing the street: carefully watch for what
is already there and you will be safe.
>
> /jws
>
__
Pierre Thibaudeau | e-mail: <prt@Teleglobe.CA>
TELEGLOBE CANADA |
1000, rue de La Gauchetiere ouest | Tel: +1-514-868-7257
Montreal, QC H3B 4X5 |
Canada | fax: +1-514-868-8446