Re: IPv4 Hijacking For Idiots

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Jun 6, 2017 at 2:25 AM, Hank Nussbacher <hank () efes iucc ac il>
wrote:
(I think this is really Ron and Bill chatting, but some of the linkage got
lost on the tubes)


> > I've read article after article after article bemoanging the fact that
> > > "BGP isn't secure",
> >
> > They're talking about a different problem: ISPs are supposed to configure
> > end-user BGP sessions per BCP38 which limits which BGP announcements the
> > customer can make. Some ISPs are sloppy and incompetent and don't do
> this.
> > Unfortunately, once you're a level or two upstream the backbone ISP
> > actually can't do much to limit the BGP announcements because it's often
> > impractical to determine whether a block of IP addresses can legitimately
> > be announced from a given peer.

just a clarifying note: I don't think bcp38 talks about BGP at all,
actually...
I think bill is actually saying:

 "ISPs are supposed to configure bcp38 to filter TRAFFIC from their
customers/peers and BGP filters to limit the scope of the customer routes
sent/received"

I don't think the filtering of customer prefixes/announcements is actually
covered in a BCP though.