nanog mailing list archives
Re: Securing the BGP or controlling it?
From: deleskie () gmail com
Date: Mon, 10 May 2010 22:41:00 +0000
Ziad, I agree, its unfortunate that so many people no longer require route registration. Not that it would solve all the issues. Tom School, Todd Underwood and I present some work we did looking @ this @ nanog in LA a while back. Unfortunately we could never find time to take it to the next steps. -jim Sent from my BlackBerry device on the Rogers Wireless Network -----Original Message----- From: Zaid Ali <zaid () zaidali com> Date: Mon, 10 May 2010 10:32:47 To: Thomas Magill<tmagill () providecommerce com>; Franck Martin<franck () genius com>; <nanog () nanog org> Subject: Re: Securing the BGP or controlling it? What we need (as operators) is to get better at ensuring that advertisements are coming from the valid owner of said address space. What we don't need is a separate governance model which I worry this article is trying to imply. I still use RADB but I hear not every peer/provider checks there anymore? This is hearsay so interested in other opinions. As far as the mistakes pointed out in this article one can be assured that these things are bound to happen. The youtube situation could have been prevented if the peer opening a filter (and responsible for announcing out) had reach to a system where the other peer's advertisement can be verified. I don't think leaning on competency is a good way to go about solving this problem, we need a system or model in place to ensure we have a trust and verification system. Zaid On 5/10/10 9:54 AM, "Thomas Magill" <tmagill () providecommerce com> wrote:
All of the major providers I have worked with have required proof of 'ownership' of address space or an LoA from the registered holder of that space before they would allow advertisements from me, which are then filtered. Is this not the norm? I can understand if they are talking about an operator making a mistake, but the article seems to imply that anyone running BGP can bring down the Internet... I think any competent provider can easily eliminate this threat from customers. Are there any types of penalties if an ISP is found to not be taking adequate precautions, other than the possible threat of losing business? -----Original Message----- From: Franck Martin [mailto:franck () genius com] Sent: Monday, May 10, 2010 9:48 AM To: nanog () nanog org Subject: Re: Securing the BGP or controlling it? APNIC allows you to put your BGP data in the whois, so like this you have a third party verification tool on who is peering with who.
Current thread:
- Securing the BGP or controlling it? Franck Martin (May 09)
- Re: Securing the BGP or controlling it? Scott Howard (May 09)
- Re: Securing the BGP or controlling it? Larry Sheldon (May 10)
- Re: Securing the BGP or controlling it? Randy Bush (May 09)
- Re: Securing the BGP or controlling it? Christopher Morrow (May 10)
- Re: Securing the BGP or controlling it? Jack Bates (May 10)
- Re: Securing the BGP or controlling it? Christopher Morrow (May 10)
- Re: Securing the BGP or controlling it? Franck Martin (May 10)
- RE: Securing the BGP or controlling it? Thomas Magill (May 10)
- Re: Securing the BGP or controlling it? Zaid Ali (May 10)
- Re: Securing the BGP or controlling it? deleskie (May 10)
- RE: Securing the BGP or controlling it? Hank Nussbacher (May 10)
- Re: Securing the BGP or controlling it? Christopher Morrow (May 10)
- Re: Securing the BGP or controlling it? Scott Howard (May 09)
- Re: Securing the BGP or controlling it? Nick Hilliard (May 10)
- Re: Securing the BGP or controlling it? Aaron Glenn (May 10)
- Re: Securing the BGP or controlling it? Nick Hilliard (May 10)
- Re: Securing the BGP or controlling it? Jared Mauch (May 10)
- Re: Securing the BGP or controlling it? Nick Hilliard (May 10)
- Re: Securing the BGP or controlling it? Joe Abley (May 10)
- Re: Securing the BGP or controlling it? Danny McPherson (May 10)
- Re: Securing the BGP or controlling it? Randy Bush (May 10)
- Re: Securing the BGP or controlling it? Nick Hilliard (May 11)