nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: That pesky AS path corruption bug...

From: Jeff Haas <jeffhaas () merit edu>
Date: Tue, 23 May 2000 16:17:16 -0400

On Tue, 23 May 2000, Blaine Christian wrote:

else is free game.  Who besides a route-server would want to prepend an
AS besides their own.  Who wants to allow customers and perhaps even
peers to send routes prepending an AS that is not their own? 


FWIW, route servers (at least RSng ones) either prepend their own AS
or leave the path information alone.  No sane BGP speaker would prepend
anything other than its own, its peers (proxy AS prepending)
or internal AS numbers for confederation purposes.

This isn't to say that "routers" can't diddle with it all they want.
If you have access to a BGP session and can muck with AS-paths
in routing updates, you have access to a very effective denial of
routing attack.

The only valid defense against such mucking that I can think of
is verifying AS adjacencies against some registry and flagging
unknown paths.  This is not a cheap thing to do.  This, however,
is far saner than cryptographically signing all routing updates
which is one solution I've heard proposed. :-P

-- 
Jeffrey Haas - Merit RSng project - jeffhaas () merit edu
Previous By Date Next
Previous By Thread Next

Current thread: